GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → niklata → ndhc

niklata / ndhc

Licence: MIT license
Privilege-separated secure DHCPv4 client for Linux.

Programming Languages

c
50402 projects - #5 most used programming language
Ragel
52 projects
Roff
2310 projects
Makefile
30231 projects

Labels

linuxdhcpprivilege-separationdhcp-clientdhcpv4privsep

Projects that are alternatives of or similar to ndhc

Zzdj dhcp
一个可以自动同步DHCP租用信息到数据库的微服务
Stars: ✭ 89 (+270.83%)
Mutual labels:  dhcp
Dowse
The Awareness Hub for the Internet of Things
Stars: ✭ 139 (+479.17%)
Mutual labels:  dhcp
Netboot.xyz
Your favorite operating systems in one place. A network-based bootable operating system installer based on iPXE.
Stars: ✭ 2,753 (+11370.83%)
Mutual labels:  dhcp
Freeradius Server
FreeRADIUS - A multi-protocol policy server.
Stars: ✭ 1,379 (+5645.83%)
Mutual labels:  dhcp
Plunder
A Modern automation platform
Stars: ✭ 121 (+404.17%)
Mutual labels:  dhcp
Dhcpcd
DHCP / IPv4LL / IPv6RA / DHCPv6 client.
Stars: ✭ 148 (+516.67%)
Mutual labels:  dhcp
Downloads
AD Health Check, Send HTML Email, Ping machines, Encrypt Password,Bulk Password,Microsoft Teams,Monitor Certificate expiry, Monitor cert expiry, AD attributes, IP to Hostname, Export AD group, CSV to SQL,Shutdown, Restart, Local Admin, Disk Space, Account expiry,Restore Permissions, Backup permissions, Delete Files Older Than X-Days, export DHCP options,Read Registry,Distribution group AD attributes,Monitor Windows Services,Export Reverse DNS,Task Monitor,Monitor and alert, Exchange Health check,Get Network Info, Export AD Attributes,AD group members, Office 365 Group member, SQL to CSV, Outlook save send attachments, Upload files to FTP,Exchange – Total Messages Sent Received, Set Teams Only Mode, Intune Duplicate Device,Intune Cleanup Not Evaluated, Ownership and Grant Permissions, Write Create Modify Registry , Organization Hierarchy from AD,Azure AD Privileged Identity Management,Intune – Export MAM Devices,Intune Marking devices as Corporate, Dynamic to Static Distribution Group,Monitor Alert Office 365 services,Group Member Count,Bulk Addition external users sharepoint, ADD to Exchange online License Group,All in One Office 365 Powershell,Bulk Addition of Secondary Email, Automate move mailboxes to o365, Addition Modification Termination Exchange users, Monitoring Unified Messaging port,Unified Messaging Extensions Report, Set Default Quota for SharePoint,Bulk Contact Creation and Forwarding, Uploading and Downloading files sftp, Monitoring Sftp file and download, Office 365 groups Write back, CSV parser, Email address update, Email address modify, MDM enrollment, Welcome Email, Intune Welcome Email, remove messages, remove email, SKOB to AD, SKOB to group, PowerApps report, Powerautomate Report, Flow report, Server QA, Server Check List, O365 IP range, IP range Monitor, o365 Admin Roles, memberof extraction, CSV to Excel, Skype Policy, UPN Flip, Rooms Report, License Reconciliation,Intune Bulk Device Removal, Device Removal, Clear Activesync, Lync Account Termination,Lync Account Removal, Enable office 365 services, Enable o365 Services, Export PST, Site collection Report, Office 365 Group Sites, System Admin,ActiveSync Report,White Space,Active Directory attributes, outlook automation, Intune Detect App, Distribution list Fix, Legacy DN, start service, stop service, disable service, Message tracking, Distribution lists report,Distribution groups report,Quota Report, Auto reply, out of office, robocopy multi session, Home Folder, local admin, Database, UPN SIP Mismatch, Recoverable deleted, teams number, Number assignment, teams phone, AD Group Hierarchy, Hierarchy membership, Sync Groups
Stars: ✭ 75 (+212.5%)
Mutual labels:  dhcp
dhcpcanon
DHCP client disclosing less identifying information.
Stars: ✭ 58 (+141.67%)
Mutual labels:  dhcp-client
Esp wifimanager
This is an ESP32 / ESP8266 WiFi Connection Manager with fallback web configuration portal. Use this library for configuring ESP32, ESP8266 modules' WiFi, etc. Credentials at runtime. You can also specify static DNS servers, personalized HostName, fixed or random AP WiFi channel. With examples supporting ArduinoJson 6.0.0+ as well as 5.13.5- .
Stars: ✭ 125 (+420.83%)
Mutual labels:  dhcp
Netdot
Network Documentation Tool
Stars: ✭ 180 (+650%)
Mutual labels:  dhcp
Boots
The DHCP and iPXE server for Tinkerbell.
Stars: ✭ 101 (+320.83%)
Mutual labels:  dhcp
Ona
OpenNetAdmin IP Address Management (IPAM) system
Stars: ✭ 116 (+383.33%)
Mutual labels:  dhcp
Dnsmasqweb
基于DNSmasq的DNS解析、以及DHCP地址分配系统
Stars: ✭ 166 (+591.67%)
Mutual labels:  dhcp
Python Isc Dhcp Leases
Small python module for reading /var/lib/dhcp/dhcpd.leases from isc-dhcp-server
Stars: ✭ 90 (+275%)
Mutual labels:  dhcp
Node Dhcp
A DHCP server and client written in pure JavaScript
Stars: ✭ 212 (+783.33%)
Mutual labels:  dhcp
Lsleases
list assigned ip from any device in your network
Stars: ✭ 88 (+266.67%)
Mutual labels:  dhcp
Raw Packet
Raw-packet Project
Stars: ✭ 144 (+500%)
Mutual labels:  dhcp
bridgeap
Automagically bridge any live interface to any idle interface using NATS, DHCP, and HostAP where applicable
Stars: ✭ 52 (+116.67%)
Mutual labels:  dhcp
Etcdhcp
A DHCP server backed by etcd
Stars: ✭ 250 (+941.67%)
Mutual labels:  dhcp
Cobbler
Cobbler is a versatile Linux deployment server
Stars: ✭ 2,222 (+9158.33%)
Mutual labels:  dhcp
View All Similar Projects ➔

ndhc

Copyright 2004-2022 Nicholas J. Kain. See LICENSE for licensing information.

Introduction

ndhc is a multi-process, privilege-separated DHCP client. Each subprocess runs with the minimal necessary privileges in order to perform its task. Currently, ndhc consists of three subprocesses: the ndhc-master, ndhc-ifch, and ndhc-sockd.

ndhc-master communicates with DHCP servers and handles the vagaries of the DHCP client protocol. It runs as a non-root user inside a chroot. ndhc runs as a normal user with no special privileges and is restricted to a chroot that contains nothing more than a urandom device node and a null device node.

ndhc-ifch handles interface change requests. It listens on a unix socket for such requests. ndhc-ifch runs as a non-root user inside a chroot, and retains only the power to configure network interfaces. ndhc-ifch automatically forks from ndhc-master to perform its job.

ndhc-sockd plays a similar role to ndhc-ifch, but it instead has the ability to bind to a low port, the ability to open a raw socket, and the ability to communicate on broadcast channels. ndhc communicates with ndhc-sockd over a unix socket, and the file descriptors that ndhc-sockd creates are passed back to ndhc over the unix socket.

ndhc fully implements RFC5227's address conflict detection and defense. Great care is taken to ensure that address conflicts will be detected, and ndhc also has extensive support for address defense. Care is taken to prevent unintentional ARP flooding under any circumstance.

ndhc also monitors hardware link status via netlink events and reacts appropriately when interface carrier status changes or an interface is explicitly deconfigured. This functionality can be useful on wired networks when transient carrier downtimes occur (or cables are changed), but it is particularly useful on wireless networks.

RFC3927's IPv4 Link Local Addressing is not supported. I have found v4 LLAs to be more of an annoyance than a help. v6 LLAs work much better in practice.

Features

Privilege-separated. ndhc does not run as root after initial startup, and capabilities are divided between the subprocesses. All processes run in a chroot.

Robust. ndhc performs no runtime heap allocations -- malloc() (more specifically, brk(), mmap(), etc) is never called after initialization (libc behavior during initialization time will vary), and ndhc never performs recursive calls and only stack-allocates fixed-length types, so stack depth is bounded, too.

Active defense of IP address and IP collision avoidance. ndhc fully implements RFC5227. It is capable of both a normal level of tenacity in defense, where it will eventually back off and request a new lease if a peer won't relent in the case of a conflict, and of relentlessly defending a lease forever. In either mode, it rate-limits defense messages, so it can't be tricked into flooding by a hostile peer or DHCP server, either.

Small. ndhc avoids unnecessary outside dependencies and is written in plain C.

Fast. ndhc filters input using the BPF/LPF mechanism so that uninteresting packets are dropped by the operating system before ndhc even sees the data. ndhc also only listens to DHCP traffic when it's necessary.

Flexible. ndhc can request particular IPs, send user-specified client IDs, write a file that contains the current lease IP, write PID files, etc.

Self-contained. ndhc does not exec other processes, or rely on the shell. Further, ndhc relies on no external libraries aside from the system libc.

Aware of the hardware link status. If you disconnect an interface on which ndhc is providing DHCP service, it will be aware. When the link status returns, ndhc will fingerprint the reconnected network and make sure that it corresponds to the one on which it has a lease. If the new network is different, it will forget about the old lease and request a new one.

Requirements

  • Linux kernel
  • GNU Make
  • For developers: Ragel

Installation

Compile and install ndhc.

  • Build ndhc: make
  • Install the ndhc executable in a normal place. I would suggest /usr/sbin or /usr/local/sbin.

Time to create the jail in which ndhc will run. Become root and create new group ndhc.

$ su -
# umask 077
# groupadd ndhc

Create new users dhcpsockd, dhcpifch and dhcp. The primary group of these users should be ndhc.

# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcpsockd
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcpifch
# useradd -d /var/lib/ndhc -s /sbin/nologin -g ndhc dhcp

Create the state directory where DUIDs and IAIDs will be stored.

# mkdir /etc/ndhc
# chown root.root /etc/ndhc
# chmod 0755 /etc/ndhc

Create the jail directory and set its ownership properly.

# mkdir /var/lib/ndhc
# chown root.root /var/lib/ndhc
# chmod a+rx /var/lib/ndhc
# cd /var/lib/ndhc
# mkdir var
# mkdir var/state
# mkdir var/run
# chown -R dhcp.ndhc var
# chmod -R a+rx var
# chmod g+w var/run

Create a urandom device for ndhc to use within the jail.

# mkdir dev
# mknod dev/urandom c 1 9
# mknod dev/null c 1 3
# chown -R root.root dev
# chmod a+rx dev
# chmod a+r dev/urandom
# chmod a+rw dev/null

At this point the jail is usable; ndhc is ready to be used. It should be invoked as the root user so that it can spawn its processes with the proper permissions. An example of invoking ndhc: ndhc -i wan0 -u dhcp -U dhcpifch -D dhcpsockd -C /var/lib/ndhc

If a configuration file is preferred instead of command arguments, I provide an example configuation file examples/wan0.conf. The associated example of invoking ndhc with such a configuration would be ndhc -c /etc/ndhc/wan0.conf.

If you encounter problems, I suggest running ndhc in the foreground and examining the printed output. ndhc logs all output to standard out or standard error.

ndhc should be run under some sort of process supervision such as s6. This will allow for reliable functioning in the case of unforseen or unrecoverable errors. I provide an example s6 run file examples/s6.run.

Behavior Notes

ndhc does not enable updates of the local hostname and resolv.conf by default. If you wish to enable these functions, use the --resolve (-R) and --hostname (-H) flags. See ndhc --help.

If the network interface must be up for dependent daemons to run, the now configuration or --now command flag should be used so that ndhc will be respawned by the process supervisor if no lease is acquired.

Running a script when a new lease is acquired

It is common for there to be some system state that must be changed if a network interface configuration changes; for example, on a system providing NAT or firewalling, the NAT or firewall might need to be updated if the associated upbound interface has a new IP address.

ndhc has the ability to run a script each time a new lease state is acquired. The script to be run is specified either in the configuration file with script-file = SCRIPTFILE or as a command argument with --script-file SCRIPTFILE where SCRIPTFILE is a path to an executable file. The script will not be run if an existing lease (acquired since the ndhc process was started) is simply updated.

If a scriptfile is specified, ndhc will spawn a subprocess that runs as root that has the sole job of forking off a subprocess that exec's the specified script in a sanitized and fixed-state environment whenever a new DHCPv4 lease is acquired.

Note that this script is provided no information about ndhc or the DHCP state in the environment or in any argument fields; it is the responsibility of this script to gather whatever information it needs from either the filesystem or syscalls. This design is intended to avoid the historical problems that are associated with dhcp clients invoking scripts.

The path of the scriptfile cannot be changed after ndhc is initially run; ndhc forks off the privsep script subprocess that executes scripts after it has read the configuration file and command arguments, but before it begins processing network data; thus, it is impossible for the network-handling process to modify or influence the script assuming proper OS memory protection.

State Storage Notes

ndhc requires a read/writable directory to store the DUID/IAID states. By default this directory is /etc/ndhc. It exists outside the chroot. The DUID will be stored in a single file, DUID. The IAIDs exist per-interface and are stored in files with names similar to IAID-xx:xx:xx:xx:xx:xx, where the xx values are replaced by the Ethernet hardware address of the interface.

If it is impossible to read or store the DUIDs or IAIDs, ndhc will fail at start time before it performs any network activity or forks any subprocesses.

If the host system lacks volatile storage, then a clientid should manually be specified using the -I or --clientid command arguments.

Downloads

Porting Notes

DHCP clients aren't naturally very portable. It's necessary to perform a lot of tasks that are platform-specific. ndhc is rather platform-dependent, and it uses many Linux-specific features. The following list is not intended to be exhaustive:

  • ndhc takes advantage of Linux capabilities so that it does not need full root privileges. Capabilities were a proposed POSIX feature that was not made part of the official standard, so any implemention that may exist will be system-dependent.

  • ndhc configures network interfaces and routes. Interface and route configuration is entirely non-portable.

  • ndhc uses netlink sockets for fetching data, setting data, and hardware link state change notification events.

  • ndhc uses the Berkeley Packet Filter / Linux Packet Filter interfaces to drop unwanted packets in kernelspace. This functionality is available on most modern unix systems, but it is not standard.

  • Numerous socket options are used, and the AF_PACKET socket family is used for raw sockets and ARP. These are largely Linux-specific, too.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].