Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#76215 - [kea] Add capabilities to allow running as non-root

Attached to Project: Community Packages
Opened by - (matoro) - Saturday, 15 October 2022, 17:33 GMT
Last edited by Toolybird (Toolybird) - Saturday, 15 October 2022, 20:38 GMT
Task Type Feature Request
Category Packages
Status Assigned
Assigned To Konstantin Gizdov (kgizdov)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description: The kea documentation suggests using the following capabilities on the /usr/bin/kea-dhcp{4,6} binaries in order to allow then to run without root privileges:

setcap 'cap_net_bind_service,cap_net_raw=+ep' /opt/kea/sbin/kea-dhcp4
setcap 'cap_net_bind_service=+ep' /opt/kea/sbin/kea-dhcp6

I'm currently accomplishing this with the following pacman hook:

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = kea

[Action]
Description = Grant capabilities
Depends = libcap
When = PostTransaction
Exec = /usr/bin/env bash -c "/usr/bin/setcap 'cap_net_bind_service,cap_net_raw=+ep' /usr/bin/kea-dhcp4 && /usr/bin/setcap 'cap_net_bind_service=+ep' /usr/bin/kea-dhcp6"

Would appreciate if this were added to the official package in order to help increase security by reducing the number of daemons running as root which don't need to be!
This task depends upon

Comment by - (matoro) - Saturday, 15 October 2022, 20:11 GMT
Turns out this also requires AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW etc in the systemd services.
Comment by Konstantin Gizdov (kgizdov) - Wednesday, 25 January 2023, 23:18 GMT
Hey, sorry for the huge wait. This issue slipped my radar somehow. Do you mean add the same pacman hook in the package and update the systemd service files manually? Is there are a less manual solution to this? Possibly using a post_install() function?
Comment by loqs (loqs) - Thursday, 26 January 2023, 21:27 GMT
Changes based on the service files from Debian [1]. pacman/makepkg now support file capabilities, so if needed they can be added in the PKGBUILD. However I can not see Debian using them in their implementation.
LogsDirectory and LogsDirectoryMode not added as Arch with the default config logs to /var/log.
Edit:
@matoro are the changes apart from file capabilities similar to what you are using?

[1] https://sources.debian.org/src/isc-kea/2.2.0-1/
   PKGBUILD.diff (5.5 KiB)
Comment by Konstantin Gizdov (kgizdov) - Sunday, 05 February 2023, 19:46 GMT
Have you tested the PKGDIFF on a live Arch Linux? It seems fine for me to ship the changes as you propose but don't want to break things.
Comment by loqs (loqs) - Monday, 06 February 2023, 21:28 GMT
I missed adjusting KEA_PIDFILE_DIR in the last diff. This diff fixes that and moves logs from /var/log to /var/log/kea. I could have followed Debian and used KEA_LOGGER_DESTINATION=/var/log/kea but that is only intended for early logging before the config file is parsed [1]. Instead I changed the log file location in the config files. Such a change will involve manual intervention on existing systems where the config files have been adjusted.
I have tested that kea-dhcp4.service kea-dhcp6.service and kea-dhcp-ddns.service with a custom low port. All access restricted ports and for kea-dhcp4 kea-dhcp6 raw ports without issue.
What are your thoughts on other hardening options?
I would also wait for feedback from matoro.

[1] https://kea.readthedocs.io/en/kea-2.2.0/arm/logging.html#logging-during-startup
   PKGBUILD.diff (6.1 KiB)
Comment by Konstantin Gizdov (kgizdov) - Monday, 06 February 2023, 23:40 GMT
I think since this is probably gonna be started by systemd anyway, it's worth it setting KEA_LOGGER_DESTINATION=stdout, no?

Loading...