Based on Marc's review, I won't be including this patch.
The cost of maintaining that patch isn't justified by the close to non-
existent added security. Our apparmor profile does a good job at
restricting what dhclient can do in a much better way than this patch.
As pointed out by Marc, the binary has access to CAP_DAC_OVERRIDE and
CAP_SYS_ADMIN, basically allowing it to escalate back to full root by
just setting the SUID bit on an executable.
** Changed in: isc-dhcp (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/810946
Title:
dhclient should drop capabilities
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/810946/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
