Permissions spec & Neutron driver
Simon Hobson
dhcp1 at thehobsons.co.uk
Wed Jul 15 16:06:58 UTC 2015
James Beedy <jamesbeedy at gmail.com> wrote:
> I am implementing an ISC DHCP server driver for the Openstack Neutron project. My goal is to create a python module that controls, and allows multiple instances of ISC DHCP server to run under multiple different users. It would be nice if there was a spec that detailed the constraints concerning permissions of groups, users, directories and files associated with the ISC DHCP server....as of right now I am playing a lot of guess and check, hopefully this is something you might be able to shed some light on. I am currently experimenting with running different instances of ISC DHCP server each in a chroot environment, but would like to not have to create a separate container or chroot for each instance of ISC DHCP server running on a box. I’m sure there is a more efficient way, I just am unfamiliar with the permissions spec. Any insight to the permissions associated with ISC DHCP server would be extremely appreciated.
With the caveat that I'm neither a programmer nor an expert in this area ...
I think you'll find that the server really doesn't need many permissions at all. With one exception, it needs to be able to read it's config file, write it's PID file, and write/re-write it's lease file - with all that, it doesn't need any privileged access to anything (so basically the appropriate read & write permissions to the files/directories it needs to work in).
What it does need is the ability to handle raw sockets. So it needs to be able to take packets off the wire which can't be handled by the IP stack, and send packets directly which can't be sent via the IP stack. This is probably the only privileged access it needs.
The other issue is that you can only run one instance per interface, and there are some reports that it doesn't "play nice" with VLANs. I'm not sure of the details, but IIRC when it's come up, there have been issues of tagged packets being picked up by a server listening on an untagged interface of a trunked port.
More information about the dhcp-users
mailing list