# dhcpcd permissions bug?

## Cazzantonio

Hi all, I have this file here which I suppose it's generated by dhcpcd:

```
heavensdoor ~ # ll /var/run/dhcpcd/resolv.conf/wlan0

-rw-rw-rw- 1 root root root 80 19 mag 17.07 /var/run/dhcpcd/resolv.conf/wlan0

```

As you see it's world-writeable and contains the dns settings obtained by dhcpcd. I don't know if it's a security problem since I don't exactly know what's using that file, but still isnt' something weird? Is it a bug?

----------

## DONAHUE

http://it.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

or

http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

----------

## Cazzantonio

Are you implying that it should be world-writeable just because it's in /var/run ? Sorry but there is no reason for this. It is a file that is storing the same informations in resolv.conf and the fact that anyone could change its content doesn't have a clear justification, even if that files isn't used by anyone (but then, why it's there?).

----------

## Cazzantonio

Actually it's a minor bug IMHO. There should be a line

```
chmod 644 "$resolv_conf_dir/$interface"
```

after line 114 in /lib/dhcpcd/dhcpcd-hooks/20-resolv.conf

From what I understood that file is used only by the function key_get_value() called by build_resolv_conf() in that file to build the list of dns servers (also merging .tail and .head files). Maybe it should be removed, but I'm leaving it there just in case.

It's strange but It has been some years from last time I was an active member of this forum, and I remember it was filled with much more competent people, and replies were quick and always meaningful... maybe it's only a wrong feeling...

----------

## Hu

There are still good people here, but replies may not come as fast.  I did not see this thread until you had already posted your first response .

----------

## Cazzantonio

 *Hu wrote:*   

> There are still good people here, but replies may not come as fast.  I did not see this thread until you had already posted your first response .

 Sorry, I'm not speaking about you and I belive there are still many competent people. I was simply a bit surprised by the fist guy coming here and posting a link to the wikipedia page of FHS (which looks like a RTFM referring to the wrong manual...   :Laughing:  )

----------

## Hu

 *Cazzantonio wrote:*   

> Sorry, I'm not speaking about you and I belive there are still many competent people. I was simply a bit surprised by the fist guy coming here and posting a link to the wikipedia page of FHS (which looks like a RTFM referring to the wrong manual...   )

 I knew the remark was not directed specifically at me, but I wanted to point out that we do have people who read and try to give good answers.  DONAHUE has been quite helpful with many people having kernel boot issues, so I suspect he may have been rushed or misunderstood your query, because FHS definitely is not relevant to this specific file.  :Smile: 

Oddly, my corresponding file for a wired network has mode 640.  However, I am running stable, so I might be behind on versions relative to what you have installed.  Could you share the output of emerge --info ; emerge --pretend --verbose net-misc/dhcpcd sys-apps/baselayout sys-apps/openrc?

```
-rw-r----- 1 root root 101 2011-04-25 20:46 eth0
```

----------

## Cazzantonio

```
heavensdoor ~ # emerge --info ; emerge -pv dhcpcd baselayout openrcPortage 2.1.9.42 (default/linux/amd64/10.0/desktop, gcc-4.5.2, libc-0-r0, 2.6.37-gentoo-r4 x86_64)

=================================================================

System uname: Linux-2.6.37-gentoo-r4-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8600_@_2.40GHz-with-gentoo-2.0.2

Timestamp of tree: Sat, 21 May 2011 12:15:01 +0000

app-shells/bash:     4.1_p9

dev-lang/python:     2.7.1-r1, 3.1.3-r1

dev-util/cmake:      2.8.4

sys-apps/baselayout: 2.0.2

sys-apps/openrc:     0.8.2-r1

sys-apps/sandbox:    2.4

sys-devel/autoconf:  2.13, 2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.5.2

sys-devel/gcc-config: 1.4.1-r1

sys-devel/libtool:   2.2.10

sys-devel/make:      3.81-r2

sys-kernel/linux-headers: 2.6.36.1

sys-libs/glibc:      2.12.2

virtual/os-headers:  0

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="freedist @FREE"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"

CXXFLAGS="-march=core2 -mcx16 -msahf -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=generic -O2 -pipe"

DISTDIR="/var/pkg/distfiles"

FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/"

LANG="it_IT.UTF-8"

LC_ALL="it_IT.UTF-8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"

LINGUAS="it"

MAKEOPTS="-j3"

PKGDIR="/var/pkg/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/exclude_sync"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp_portage"

PORTDIR="/var/portage"

PORTDIR_OVERLAY="/var/pkg/overlay"

SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"

USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb branding bzip2 cairo caps cdr cli consolekit cracklib crypt cups cxx dbus dga djvu dri dts dv dvd dvdr emboss encode exif fam fbcon ffmpeg firefox flac foomaticdb fortran gdbm gdu gif gmp gnutls gpm gstreamer gtk iconv idn ieee1394 ipv6 jpeg latex lcms libnotify libsamplerate mad mmx modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl nptlonly offensive ogg opengl openmp pam pango pch pcre pdf perl png policykit ppds pppd python readline session smp speex spell sqlite sse sse2 ssl startup-notification svg sysfs tcpd theora threads tiff truetype udev unicode usb v4l2 vaapi vim-syntax vorbis wifi x264 xattr xcb xcomposite xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa" XFCE_PLUGINS="brightness logout menu" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-misc/dhcpcd-5.2.12  USE="-zeroconf" 71 kB

[ebuild   R   ] sys-apps/baselayout-2.0.2  USE="-build" 40 kB

[ebuild   R   ] sys-apps/openrc-0.8.2-r1  USE="ncurses pam unicode -debug (-selinux)" 158 kB

Total: 3 packages (3 reinstalls), Size of downloads: 267 kB
```

I'm sure of it. The file is generated as soon as dhcpcd receives the informations from the dns server, then It is deleted when I disconnect. Maybe it's a weird problem with some global umask setting? In /etc/profile is umask=022, but I doubt that dhcpcd opens an interactive session. For non-interactive sessions there was a pam module to set the global umask? I don't if dhcpcd looks at /etc/login.defs, but even there is 022.

```
heavensdoor ~ # ll /var/run/dhcpcd/resolv.conf/

totale 4,0K

-rw-rw-rw- 1 root root root 68 21 mag 21.34 wlan0
```

----------

## Hu

It looks like dhcpcd never calls umask, either in its C code or in its hooks.  The file is only ever generated in the 20-resolv.conf hook that you cited earlier, so I think that script must be running with a bad umask.  I have no idea where the bogus umask originates, though.  You could try to strace the dhcpcd process and its children.  Using -e trace=fork,execve,umask should keep the noise down.

----------

## Cazzantonio

This is dhcpcd run directly in the terminal (so it takes the umask of user root)

```
heavensdoor ~ # ll /var/run/dhcpcd/resolv.conf/

totale 4,0K

-rw-r--r-- 1 root root root 67 22 mag 10.45 eth0
```

This is dhcpcd run by wicd, which I use to connect

```
heavensdoor ~ # ll /var/run/dhcpcd/resolv.conf/

totale 4,0K

-rw-rw-rw- 1 root root root 67 22 mag 10.45 eth0
```

It seems that It doesn't get an umask when run non-interactively by wicd.

Whatever the cause, that simple line fixes it.

----------

## Hu

A process inherits its umask from its parent, so I suspect wicd or one of its helpers is setting umask improperly.  That is why my wired link, and your command line invocation, both produced good permissions, but wicd produced insecure permissions.  The next question is whether to fix it by modifying the 20-resolv.conf script to ensure safe permissions or to fix it by patching wicd not to pass unsafe umask settings to its children.  Ideally, both should be done at their respective upstreams.

----------

## Cazzantonio

roy maples thinks wicd should be fixed, and I agree. I'll try to file a bug to them when I have time.

----------

## UberLord

 *Cazzantonio wrote:*   

> roy maples thinks wicd should be fixed

 

Roy Marples thinks wicd should be fixed  :Wink: 

----------

