Documentation updates.
This commit is contained in:
parent
74ad01a086
commit
8a9fbb6f09
45
README
45
README
@ -5,7 +5,6 @@ Requirements:
|
|||||||
|
|
||||||
Linux kernel
|
Linux kernel
|
||||||
GNU Make (tested: 3.82) or CMake (tested: 2.8)
|
GNU Make (tested: 3.82) or CMake (tested: 2.8)
|
||||||
libcap (available via ftp.kernel.org)
|
|
||||||
Ragel (tested: 6.7)
|
Ragel (tested: 6.7)
|
||||||
|
|
||||||
INTRODUCTION
|
INTRODUCTION
|
||||||
@ -13,22 +12,26 @@ INTRODUCTION
|
|||||||
|
|
||||||
ndhc is a multi-process, privilege-separated dhcp client. Each subprocess runs
|
ndhc is a multi-process, privilege-separated dhcp client. Each subprocess runs
|
||||||
with the minimal necessary privileges in order to perform its task. Currently,
|
with the minimal necessary privileges in order to perform its task. Currently,
|
||||||
ndhc consists of two subprocesses: the ndhc-master and ndhc-ifch.
|
ndhc consists of three subprocesses: the ndhc-master, ndhc-ifch, and
|
||||||
|
ndhc-sockd.
|
||||||
|
|
||||||
ndhc-master communicates with dhcp servers and handles the vagaries of the dhcp
|
ndhc-master communicates with dhcp servers and handles the vagaries of the dhcp
|
||||||
client protocol. It runs as a non-root user inside a chroot. ndhc retains
|
client protocol. It runs as a non-root user inside a chroot. ndhc runs as a
|
||||||
only the minimum necessary set of privileges required to perform its duties.
|
normal user with no special privileges and is restricted to a chroot that
|
||||||
These powers include the ability to bind to a low port, the ability to open a
|
contains nothing more than a domain socket filesystem object (if using syslog),
|
||||||
raw socket, and the ability to communicate on broadcast channels. ndhc holds
|
a urandom device node, and a null device node.
|
||||||
no other powers and is restricted to a chroot that contains nothing more than a
|
|
||||||
domain socket filesystem object (if using syslog), a urandom device node, and a
|
|
||||||
null device node.
|
|
||||||
|
|
||||||
ndhc-ifch handles interface change requests. It listens on a shared pipe for
|
ndhc-ifch handles interface change requests. It listens on a unix socket for
|
||||||
such requests. ndhc-ifch runs as a non-root user inside a chroot, and retains
|
such requests. ndhc-ifch runs as a non-root user inside a chroot, and retains
|
||||||
only the power to configure network interfaces. ndhc-ifch automatically forks
|
only the power to configure network interfaces. ndhc-ifch automatically forks
|
||||||
from ndhc-master to perform its job.
|
from ndhc-master to perform its job.
|
||||||
|
|
||||||
|
ndhc-sockd plays a similar role to ndhc-ifch, but it instead has the ability to
|
||||||
|
bind to a low port, the ability to open a raw socket, and the ability to
|
||||||
|
communicate on broadcast channels. ndhc communicates with ndhc-sockd
|
||||||
|
over a unix socket, and the file descriptors that ndhc-sockd creates are
|
||||||
|
passed back to ndhc over the unix socket.
|
||||||
|
|
||||||
ndhc fully implements RFC5227's address conflict detection and defense. Great
|
ndhc fully implements RFC5227's address conflict detection and defense. Great
|
||||||
care is taken to ensure that address conflicts will be detected, and ndhc also
|
care is taken to ensure that address conflicts will be detected, and ndhc also
|
||||||
has extensive support for address defense. Care is taken to prevent
|
has extensive support for address defense. Care is taken to prevent
|
||||||
@ -47,12 +50,14 @@ FEATURES
|
|||||||
--------
|
--------
|
||||||
|
|
||||||
Privilege-separated. ndhc does not run as root after initial startup, and
|
Privilege-separated. ndhc does not run as root after initial startup, and
|
||||||
capabilities are divided between the subprocesses. Both programs run in a
|
capabilities are divided between the subprocesses. All processes run in a
|
||||||
chroot.
|
chroot.
|
||||||
|
|
||||||
Robust. ndhc performs no runtime heap allocations -- malloc() is never called
|
Robust. ndhc performs no runtime heap allocations -- malloc() (more
|
||||||
(and neither is brk(), mmap(), etc), and ndhc never performs recursive calls
|
specifically, brk(), mmap(), etc) is never called after initialization (libc
|
||||||
and only stack-allocates fixed-length types, so stack depth is bounded, too.
|
behavior during initialization time will vary) , and ndhc never performs
|
||||||
|
recursive calls and only stack-allocates fixed-length types, so stack depth is
|
||||||
|
bounded, too.
|
||||||
|
|
||||||
Active defense of IP address and IP collision avoidance. ndhc fully implements
|
Active defense of IP address and IP collision avoidance. ndhc fully implements
|
||||||
RFC5227. It is capable of both a normal level of tenacity in defense, where
|
RFC5227. It is capable of both a normal level of tenacity in defense, where
|
||||||
@ -62,8 +67,7 @@ either mode, it rate-limits defense messages, so it can't be tricked into
|
|||||||
flooding by a hostile peer or DHCP server, either.
|
flooding by a hostile peer or DHCP server, either.
|
||||||
|
|
||||||
Small. Both ndhc avoids unnecessary outside dependencies and is written in
|
Small. Both ndhc avoids unnecessary outside dependencies and is written in
|
||||||
plain C. The only library used is libcap, as the raw raw kernel API for
|
plain C.
|
||||||
capabilities is not guaranteed to stay stable.
|
|
||||||
|
|
||||||
Fast. ndhc filters input using the BPF/LPF mechanism so that uninteresting
|
Fast. ndhc filters input using the BPF/LPF mechanism so that uninteresting
|
||||||
packets are dropped by the operating system before ndhc even sees the data.
|
packets are dropped by the operating system before ndhc even sees the data.
|
||||||
@ -108,6 +112,7 @@ USAGE
|
|||||||
b) Create new users "dhcpifch" and "dhcp". The primary group of these
|
b) Create new users "dhcpifch" and "dhcp". The primary group of these
|
||||||
users should be "ndhc".
|
users should be "ndhc".
|
||||||
|
|
||||||
|
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcpsockd
|
||||||
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcpifch
|
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcpifch
|
||||||
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcp
|
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcp
|
||||||
|
|
||||||
@ -149,7 +154,7 @@ USAGE
|
|||||||
3) At this point the jail is usable; ndhc is ready to be used. An example
|
3) At this point the jail is usable; ndhc is ready to be used. An example
|
||||||
of invoking ndhc:
|
of invoking ndhc:
|
||||||
|
|
||||||
# ndhc -b -i wan0 -u dhcp -U dhcpifch -C /var/lib/ndhc -l /var/state/wan0.lease
|
# ndhc -i wan0 -u dhcp -U dhcpifch -D dhcpsockd -C /var/lib/ndhc -l /var/state/wan0.lease
|
||||||
|
|
||||||
4o) If you encounter problems, I suggest running ndhc in the foreground and
|
4o) If you encounter problems, I suggest running ndhc in the foreground and
|
||||||
examining the printed output.
|
examining the printed output.
|
||||||
@ -176,7 +181,7 @@ fail at start time before it performs any network activity or forks any
|
|||||||
subprocesses.
|
subprocesses.
|
||||||
|
|
||||||
If the host system lacks volatile storage, then a clientid should manually
|
If the host system lacks volatile storage, then a clientid should manually
|
||||||
be specified using the -c or --clientid command arguments.
|
be specified using the -I or --clientid command arguments.
|
||||||
|
|
||||||
RANDOMNESS NOTES
|
RANDOMNESS NOTES
|
||||||
----------------
|
----------------
|
||||||
@ -282,6 +287,10 @@ Quite a while later, I eventually merged ifchd into the same binary as
|
|||||||
ndhc and instead rely on forking subprocesses and using pipes for IPC. This
|
ndhc and instead rely on forking subprocesses and using pipes for IPC. This
|
||||||
brought a lot of simplifications, particularly for user configuration.
|
brought a lot of simplifications, particularly for user configuration.
|
||||||
|
|
||||||
|
Afterwards, privilege seperation was applied to the remaining capabilities,
|
||||||
|
creating the ndhc-sockd subprocess. After this change, the main ndhc
|
||||||
|
process runs completely unprivileged.
|
||||||
|
|
||||||
The end result is a modern DHCP client is largely RFC-compliant, except where
|
The end result is a modern DHCP client is largely RFC-compliant, except where
|
||||||
the RFCs dictate behavior that would be problematic, overly complex, useless,
|
the RFCs dictate behavior that would be problematic, overly complex, useless,
|
||||||
or exploitable. DHCP is poorly specified, and real-world servers and clients
|
or exploitable. DHCP is poorly specified, and real-world servers and clients
|
||||||
|
Loading…
x
Reference in New Issue
Block a user