From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arne Fitzenreiter <arne_f@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dhcpcd: create dhcpcd user and chroot folder
Date: Sun, 19 Apr 2020 19:18:04 +0200
Message-ID: <20200419171804.2471-1-arne_f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6057620203729095068=="
List-Id: <development.lists.ipfire.org>

--===============6057620203729095068==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

dhcpcd 9.x adds privelege seperation by creating a chroot
and running parts of the client not as root.

Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
---
 config/etc/group                   | 1 +
 config/etc/passwd                  | 1 +
 src/initscripts/system/mountkernfs | 5 +++++
 3 files changed, 7 insertions(+)

diff --git a/config/etc/group b/config/etc/group
index 4855214be..f1767b30c 100644
--- a/config/etc/group
+++ b/config/etc/group
@@ -20,6 +20,7 @@ dip:x:40:
 ftp:x:45:
 rsyncd:x:48:
 stunnel:x:51:
+dhcpcd:x:52:
 lock:x:54:
 sshd:x:74:
 pcap:x:77:
diff --git a/config/etc/passwd b/config/etc/passwd
index 7893b43c9..cb0428085 100644
--- a/config/etc/passwd
+++ b/config/etc/passwd
@@ -7,6 +7,7 @@ ntp:x:38:38::/etc/ntp:/bin/false
 ftp:x:45:45:anonymous_user:/home/ftp:/bin/false
 rsyncd:x:48:48:rsyncd Daemon:/home/rsync:/bin/false
 stunnel:x:51:51:stunnel Daemon:/var/lib/stunnel:/bin/false
+dhcpcd:x:52:52:dhcpcd privsep user:/run/dhcpcd/chroot:/bin/false
 sshd:x:74:74:sshd:/var/empty:/bin/false
 nobody:x:99:99:Nobody:/home/nobody:/bin/false
 postfix:x:100:100::/var/spool/postfix:/bin/false
diff --git a/src/initscripts/system/mountkernfs b/src/initscripts/system/moun=
tkernfs
index f7be82d01..f0bfc5289 100644
--- a/src/initscripts/system/mountkernfs
+++ b/src/initscripts/system/mountkernfs
@@ -34,6 +34,11 @@ case "${1}" in
 			mount -n -t tmpfs -o nosuid,nodev,mode=3D755,size=3D8M /run /run || faile=
d=3D1
 		fi
=20
+		# create folder for dhcpcd changeroot
+		mkdir -p /run/dhcpcd/chroot
+		chown dhcpcd:dhcpcd /run/dhcpcd/chroot
+		chmod 750 /run/dhcpcd/chroot
+
 		boot_mesg "" ${NORMAL}
=20
 		(exit ${failed})
--=20
2.17.1


--===============6057620203729095068==--