[kea-dev] Kea - root privileges and security ?

[Francis Dupont]

"Chaigneau, Nicolas" writes:
> It has been pointed out to me that Kea being executed with root privileges =
> might cause security vulnerabilities.
> I believe this to be a valid concern, but I'm not sure if there is much we =
> can do about this.
> 
> I understand that a DHCP server needs root privileges for a number of actio=
> ns: to open / use raw sockets, bind on privileged ports 67 / 68, and maybe =
> more.

=> yes, a DHCP server must have privileges at least at startup.

> I was wondering if it could be feasible for the process to drop its root pr=
> ivileges (through seteuid ?), and only restore them when it actually needs =
> them.

=> it is possible to drop them but not to restore them (if you can restore
a privilege it was not really dropped).

> Maybe this doesn't make sense. Probably it would be complicated.
> In any case, I'd like to hear your opinion on the matter. :)

=> there are some attempts for a finer privilege control than root user
but IMHO they are more for a shared computer than what we have
(and only have in the future), i.e., a dedicated virtual machine.
So my opinion is that there are a lot of better places where one
should put money and/or man power to improve the security.

> For example, CMU's dhcpd (not ISC's !) seem to implement such a feature (se=
> e "running as an unprivileged user"):
> https://www.net.princeton.edu/software/dhcpd/dhcpd.8.html
> (note that I don't know anything about their product, except what I've read=
>  from their documentation)

=> it is not a real security feature because of:
  "Note that while this feature makes it less convenient to exploit the
   server's root privileges if there are any bugs present in the server,
   it does not provide complete protection, since the server still retains
   a real uid of root."
in fact it is more a measure to limit side effects of bugs.

Regards

Francis Dupont <fdupont at isc.org>