This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 546765 - dhcp-4.1.0p1-capability.patch breaks /etc/dhcp/dhclient.d/*.sh scripts
dhcp-4.1.0p1-capability.patch breaks /etc/dhcp/dhclient.d/*.sh scripts
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
19
All Linux
medium Severity high
: ---
: ---
Assigned To: Jiri Popelka
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 597028
  Show dependency treegraph
 
Reported: 2009-12-11 16:49 EST by James Ralston
Modified: 2015-02-18 08:24 EST (History)
6 users (show)

See Also:
Fixed In Version: 4.1.1-5.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-18 08:24:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch from Steve Grubb (3.60 KB, patch)
2010-02-02 07:21 EST, Jiri Popelka
no flags Details | Diff
updated capabilities patch for dhclient (4.67 KB, patch)
2010-02-03 12:10 EST, James Ralston
no flags Details | Diff

  None (edit)
Description James Ralston 2009-12-11 16:49:08 EST
The dhcp-4.1.0p1-capability.patch causes dhclient to remove all unnecessary capabilities, unconditionally in main() after startup:

#ifdef HAVE_LIBCAP_NG
        /* Drop capabilities */
        capng_clear(CAPNG_SELECT_BOTH);
        capng_updatev(CAPNG_ADD,
                        CAPNG_EFFECTIVE|CAPNG_PERMITTED|CAPNG_BOUNDING_SET,
                        CAP_NET_ADMIN, CAP_KILL, CAP_NET_RAW,
                        CAP_NET_BIND_SERVICE, -1);
        capng_apply(CAPNG_SELECT_BOTH);
#endif

Unfortunately, this patch severely breaks the ability of the scripts in /etc/dhcp/dhclient.d/* to perform necessary functions, such as restarting daemons.

Even when daemons can be successfully restarted, they are often crippled, because they do not have capabilities they need. A good example is ntpd,  when it is running and restarted by /etc/dhcp/dhclient.d/ntp.sh:

2009-12-11T15:01:13.513244-05:00 farslayer ntpd[21534]: Cannot initgroups() to user `ntp': Operation not permitted

Other daemons cannot be restarted at all.  For example, I created a /etc/dhcp/dhclient.d/dnsmasq.sh, but it cannot send signals to the running dnsmasq process:

7512  kill(7329, SIGTERM)               = -1 EPERM (Operation not permitted)

The goal of ratcheting down the capabilities of dhclient is a good one, but dhclient *MUST* pass on full capabilities to /sbin/dhclient-script when it execve()'s it.

I haven't mucked around with capabilities for a while, but I think in essence you need to replace CAPNG_PERMITTED with CAPNG_INHERITABLE in the code above, and then call capng_fill(CAPNG_SELECT_CAPS) and capng_apply(CAPNG_SELECT_CAPS) just before calling execve() on /sbin/dhclient-script.
Comment 1 James Ralston 2009-12-11 17:14:21 EST
Actually, my suggestion is wrong; you can't monkey with the bounding set, as that will prevent capng_fill from restoring all capabilities to the inheritable set.

And you can't use capng_clear() at all, because there's no way to tell it not to clear the inheritable set.

I think something like this:

#ifdef HAVE_LIBCAP_NG
	/* Drop capabilities */
	capng_updatev(CAPNG_DROP,
			CAPNG_EFFECTIVE|CAPNG_INHERITABLE,
			list_all_caps_but_the_ones_we_want_to_retain,
			-1);
	capng_apply(CAPNG_SELECT_CAPS);
#endif

Then later, in script_go():

#ifdef HAVE_LIBCAP_NG
		capng_fill(CAPNG_SELECT_CAPS);
		capng_apply(CAPNG_SELECT_CAPS);
#endif
		execve (scriptName, argv, envp);

...will do the right thing, but I haven't tested it.
Comment 2 James Ralston 2009-12-11 17:28:33 EST
Doh. That should have been:

"And you can't use capng_clear() at all, because there's no way to tell it not
to clear the PERMITTED set."
Comment 3 Paul Blankenbaker 2009-12-11 18:12:01 EST
I've found that if I back off the patch related to bug #517649 in the dhcp.spec file, it allows the /etc/dhcp/dhclient-exit-hooks script to be used as it was in the past.

Here is my crude work around to the problem:

Downloaded and installed source RPM:

 yumdownloader --source dhclient
 rpm -ivh dhcp*

Tweak the spec file by bumping the release number and commenting out
%patch23 -p1 in the dhclient section of the dhcp.spec file:

 # Drop unnecessary capabilities in dhclient (#517649)
 # %patch23 -p1

Built and installed the new dhclient RPM. After installing the new build of the dhclient, you should be able to use commands like the following in your /etc/dhcp/dhclient-exit-hooks script once again:

 #!/bin/bash
 [ "${new_domain_name}" != "" ] && domainname "${new_domain_name}";
Comment 4 James Ralston 2009-12-11 18:22:03 EST
Removing the patch that drops capabilities will fix the problem, obviously.

But dropping unnecessary capabilities is a good thing. dhclient just needs to do it in such a way that it can execve() the dhclient-script with full capabilities.
Comment 5 David Cantrell 2009-12-11 18:23:56 EST
Steve,

Adding you to the CC list for this bug because you provided the capabilities for dhclient back in August.  Looks like it's causing some issues for people now.
Comment 6 Steve Grubb 2009-12-14 09:52:06 EST
I'm looking at this. Maybe we need to a config option to disable dropping capabilities. When file based capabilities are enabled in the kernel its either an all or none proposition. If you want tight confinement, you have to clear the bounding set so that child processes are crippled. Otherwise an attacker just execs a child and they regain full capabilities which is no confinement.
Comment 7 Paul Blankenbaker 2009-12-15 09:00:12 EST
Using the configuration option, would it work in the following manner?

- dhclient binary restricts capabilities initially

- If /sbin/dhclient-script is present and dhclient configured to run /sbin/dhclient-script with full capabilities, then:

  - Temporarily lift capabilities restriction (is that possible?)
  - Invoke /sbin/dhclient-script
  - Restrict capabilities again after invoking the script

- Otherwise

  - Invoke /sbin/dhclient-script (if present) with restricted capabilities

The above would definitely work in our situation. We could configure dhclient to invoke /sbin/dhclient-script without the capabilities restriction in effect. This would allow us to do things like set the domainname to match the value returned by the DHCP server.

Whether or not you choose the default configuration to be to enable or disable these capabilities might be another matter. I'm not sure how many other users are impacted by running /sbin/dhclient-script with reduced capabilities. I'm guessing that most users impacted by the reduced capabilities will grumble about configuring the new option - but I'm sure they'll be able to figure it out.
Comment 8 Steve Grubb 2009-12-16 16:43:26 EST
There is no way to temporarily lift capabilities. If there were, then all an attacker has to do is add that to their exploit.

Can these scripts get run at any point while a machine is up, or are they all run near the point in time when the daemon starts? If so, I could move the dropping capabilities.

If they get run at any point when the machine is up, would a command line option that could be put in /etc/sysconfig/dhclient be preferable over adding something to the config file? If the commandline option is best, any suggestions/preferances for the name? --no-caps?
Comment 9 David Cantrell 2009-12-16 16:55:55 EST
These scripts are run any time dhclient changes state.  REBIND, RENEW, and so on of the DHCP protocol states.

I think a command line option to dhclient is fine.  Given that dhclient uses short options only, I would like to see one that fits that naming style rather than adding --no-caps.  Well, I guess it's sort of short options.  It has things like -cf, for instance.  Maybe "-nc".
Comment 10 James Braid 2010-01-27 11:42:09 EST
This capabilities patch also breaks setting the hostname via DHCP - which is part of the standard /sbin/dhclient-script. sethostname(2) wants CAP_SYS_ADMIN or it fails.

The error during boot/ifup is "hostname: you must be root to change the host name" - hopefully that helps other people find this bug (it took us a good few hours to get to the bottom of it)

For the moment we have just reverted this patch locally to get a working dhclient... it would be nice to get a proper fix for this.
Comment 11 Steve Grubb 2010-01-30 08:33:04 EST
I tried to attach a patch, but the gvfs stat bug locks up firefox every time. I emailed an updated patch to the package maintainer that adds CAP_SYS_ADMIN. Thanks for the bug report.
Comment 12 Jiri Popelka 2010-02-02 07:21:10 EST
Created attachment 388279 [details]
Patch from Steve Grubb
Comment 13 James Ralston 2010-02-03 12:10:03 EST
Created attachment 388567 [details]
updated capabilities patch for dhclient

This is an improvement over the patch in comment 12. Specifically:

- the dhclient(8) man page now documents the -nc option

- if dhclient wasn't compiled with libcap-ng support, instead of treating the -nc option as an invalid option, silently ignore it.
Comment 14 Jiri Popelka 2010-02-03 12:55:15 EST
Thanks James.
Will be in dhcp-4.1.1-3.fc12
Comment 15 James Ralston 2010-02-03 17:15:52 EST
No problem, Jiri.

You might want to ask the initscripts folks if they have a "blessed" way of passing the "-nc" argument to dhclient.

Based on my read of the /etc/sysconfig/network-scripts/* files, simply putting this line in (e.g.) /etc/sysconfig/network-scripts/ifcfg-eth0 should do it:

    DHCLIENTARGS=-nc

This should work, because /etc/sysconfig/network-scripts/ifup-eth only ever appends to $DHCLIENTARGS, like this:

    DHCLIENTARGS="${DHCLIENTARGS} ${ONESHOT} -q ${DHCLIENTCONF}"

That is; ifup-eth0 never sets DHCLIENTARGS absolutely.

But /usr/share/doc/initscripts-9.02.1/sysconfig.txt doesn't document DHCLIENTARGS as a supported option, which means they might break it sometime in the future...

At any rate, I'll test this myself when dhcp-4.1.1-3.fc12 hits updates-testing.
Comment 16 Fedora Update System 2010-02-04 20:41:45 EST
dhcp-4.1.1-3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0928
Comment 17 Fedora Update System 2010-02-09 00:10:00 EST
dhcp-4.1.1-5.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0928
Comment 18 Fedora Update System 2010-02-11 09:44:45 EST
dhcp-4.1.1-5.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Bill Nottingham 2010-02-16 16:52:56 EST
Does this means that dhclient *out of the box* now breaks existing features unless the user adds more flags? That's incredibly broken, if so.
Comment 20 Bill Nottingham 2010-02-16 16:56:16 EST
Confirmed, reopening. The ypbind script, at least, is broken.
Comment 21 Jim Snyder 2010-09-28 15:12:27 EDT
I'd like to add a(nother) user's perspective.

I upgraded (fresh install) from FC10 to FC13 in July. I turned off Network Manager.

My FC10 firewall script was /etc/dhclient-exit-hooks. I copied the script over to FC13.

Imagine my surprise when I turned on the network and found myself without a firewall.

Imagine my surprise when I realized that even with my script in /etc/dhcp I didn't have a firewall.

I haven't spent a *lot* of time browsing Fedora docs, but some ... and I found this bug report.
Comment 22 Bug Zapper 2010-11-03 23:35:11 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 23 Fedora End Of Life 2012-08-16 17:39:51 EDT
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 24 Fedora End Of Life 2013-04-03 15:53:22 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 25 Fedora End Of Life 2015-01-09 16:41:31 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 26 Fedora End Of Life 2015-02-18 08:24:57 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.