Change Details

dhclient runs in capability mode, so its filesystem access is already restricted. Moreover, libutil keeps open a directory descriptor for the pidfile (/var/run by default). If kern.chroot_allow_open_directories is not set, this descriptor will cause the chroot to fail. To fix this, stop using chroot(), and store pidfiles under /var/run/dhclient/ instead to restrict the scope of libutil's descriptor. This is not perfect since different dhclient instances can still mess with each other's pidfiles despite the use of capability mode, but I don't think that this is a serious problem. Also stop removing rights from the pidfile descriptor after writing the PID. This interferes with pidfile_verify(), called from pidfile_close(). We already restrict rights to the pidfile somewhat in libutil; one possible follow-up enhancement would be remove the CAP_PWRITE and CAP_TRUNCATE rights in pidfile_write(). Of course, this would mean that pidfile_write() could only be called once, but that's most likely fine.

dhclient runs in capability mode, so its filesystem access is already restricted. Moreover, libutil keeps open a directory descriptor for the pidfile (/var/run by default). If kern.chroot_allow_open_directories is not set, this descriptor will cause the chroot to fail. To fix this, stop using chroot(), and store pidfiles under /var/run/dhclient/ instead to restrict the scope of libutil's descriptor. This is not perfect since different dhclient instances can still mess with each other's pidfiles despite the use of capability mode, but I don't think that this is a serious problem. Also stop removing rights from the pidfile descriptor after writing the PID. This interferes with pidfile_verify(), called from pidfile_close(). We already restrict rights to the pidfile somewhat in libutil; one possible follow-up enhancement would be drop the CAP_PWRITE and CAP_TRUNCATE rights in pidfile_write(). Of course, this would mean that pidfile_write() could only be called once, but that's most likely fine.

dhclient runs in capability mode, so its filesystem access is already restricted. Moreover, libutil keeps open a directory descriptor for the pidfile (/var/run by default). If kern.chroot_allow_open_directories is not set, this descriptor will cause the chroot to fail. To fix this, stop using chroot(), and store pidfiles under /var/run/dhclient/ instead to restrict the scope of libutil's descriptor. This is not perfect since different dhclient instances can still mess with each other's pidfiles despite the use of capability mode, but I don't think that this is a serious problem. Also stop removing rights from the pidfile descriptor after writing the PID. This interferes with pidfile_verify(), called from pidfile_close(). We already restrict rights to the pidfile somewhat in libutil; one possible follow-up enhancement would be removedrop the CAP_PWRITE and CAP_TRUNCATE rights in pidfile_write(). Of course, this would mean that pidfile_write() could only be called once, but that's most likely fine.