Opened 6 years ago

Last modified 4 years ago

#3423 new enhancement

Check if it is feasible for Kea4,Kea6 servers to drop privileges

Reported by: tomek Owned by:
Priority: medium Milestone: Outstanding Tasks
Component: dhcp4 Version: git
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DHCP Feature Depending on Ticket:
Estimated Difficulty: 0 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

We originally had the following task written down:

Altering the DHCPv4 and DHCPv6 serves to drop privilege once they
are bound to privilege ports. (This was going to be done via the
socket creator, but that part of the BIND framework has gone away).

However, dropping privileges would be difficult if we want to do reconfiguration (which may cause the server to open new sockets).

Dropping privileges is not enough, we need a way to regain them if needed. If we need to make a choice, it seems that on-line reconfiguration is more sought after by ISC-DHCP users than dropping privileges. Of course, it would be preferable to have both capabilities.

Subtickets

Change History (6)

comment:1 Changed 6 years ago by tomek

sockcreator is written in C++, so we (Marcin and I) decided to keep it for now. It seems at least feasible that we will be using it.

We had a discussion about this and came to a conclusion that, while desired from security perspective, it complicates the setup. There will be users who want it and others who would complain about the additional complexity. Hence usage of the sockcreator must be optional.

Additional observation: sockcreator uses a file scriptor passing between processes. It supposedly works on as unices. However, it most likely will not work on Windows. Although we don't care at all about that platform for now, it is certainly possible that one day we will (dibbler, a DHCPv6 only server is running fine on Windows and has non-trivial user base there, so there's a need for open source DHCP server on Windows).

comment:2 Changed 6 years ago by tomek

  • Milestone changed from Kea-proposed to Kea1.0

comment:3 Changed 4 years ago by sar

  • Version set to git

In addition to handling the sockets the processes will also need to handle any files associated with the memfile backend. Most likely this means either adjusting the privileges before any attempts are made to create a file or adjusting the privileges on the file after it has been created.

I'm not sure which feature people would prefer - we hear about people desiring on-line reconfiguration but we already have privilege dropping in ISC DHCP so it isn't possible to tell which they would choose based on requests. I would guess that more people would want on-line reconfiguration but that for those that want privilege dropping it is a major requirement.

comment:4 Changed 4 years ago by marcin

  • Milestone changed from Kea1.0 to Kea1.1

Deferring from 1.0 as per 1.0 tickets scrub.

comment:5 Changed 4 years ago by tomek

  • Milestone changed from Kea1.1 to DHCP Outstanding Tasks

comment:6 Changed 4 years ago by tomek

  • Milestone changed from DHCP Outstanding Tasks to Outstanding Tasks

Milestone renamed

Note: See TracTickets for help on using tickets.