summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2016-08-25 14:14:51 +0000
committerintrigeri <intrigeri@boum.org>2016-08-25 15:16:43 +0000
commit9c0a3916bd535660b2386fa355d214c0a1a7c4f3 (patch)
tree6e701a051c10d9368574d14db356dd6f6b306ef7
parent99456b42d4e6eac8637bd2bd54c5bbe9d1b02fe0 (diff)
Don't install isc-dhcp-client: NetworkManager now includes its own internal DHCP client.
Without this change, on current feature/stretch NetworkManager using isc-dhcp-client leaks the hostname on the network. The internal DHCP client can't do much worse. So let's go for it: isc-dhcp-client is lots of old code, and has a history of security issues. refs: #11630
-rwxr-xr-xconfig/chroot_local-hooks/98-remove_unwanted_packages1
-rwxr-xr-xconfig/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf1
-rw-r--r--config/chroot_local-patches/dhcp-dont-send-hostname.diff14
-rw-r--r--features/support/config.rb1
-rw-r--r--wiki/src/contribute/design/Tor_enforcement/DNS.mdwn3
5 files changed, 2 insertions, 18 deletions
diff --git a/config/chroot_local-hooks/98-remove_unwanted_packages b/config/chroot_local-hooks/98-remove_unwanted_packages
index cc14328..e6c6ecc 100755
--- a/config/chroot_local-hooks/98-remove_unwanted_packages
+++ b/config/chroot_local-hooks/98-remove_unwanted_packages
@@ -59,6 +59,7 @@ apt-get --yes purge \
'^aptitude*' \
daemontools \
'^geoclue*' \
+ isc-dhcp-client \
krb5-locales \
libdvdcss2-dbgsym \
live-build \
diff --git a/config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf b/config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf
deleted file mode 100755
index 24bec42..0000000
--- a/config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf
+++ /dev/null
@@ -1 +0,0 @@
-make_resolv_conf() { : ; }
diff --git a/config/chroot_local-patches/dhcp-dont-send-hostname.diff b/config/chroot_local-patches/dhcp-dont-send-hostname.diff
deleted file mode 100644
index c1360dc..0000000
--- a/config/chroot_local-patches/dhcp-dont-send-hostname.diff
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -Naur orig/etc/dhcp/dhclient.conf new/etc/dhcp/dhclient.conf
---- orig/etc/dhcp/dhclient.conf 2014-07-31 22:31:11.363605131 +0200
-+++ new/etc/dhcp/dhclient.conf 2014-07-31 22:31:43.535349519 +0200
-@@ -12,7 +12,8 @@
-
- option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
-
--send host-name = gethostname();
-+#send host-name = gethostname();
-+supersede host-name "amnesia";
- request subnet-mask, broadcast-address, time-offset, routers,
- domain-name, domain-name-servers, domain-search, host-name,
- dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
-
diff --git a/features/support/config.rb b/features/support/config.rb
index 89fa1ba..b51ffe8 100644
--- a/features/support/config.rb
+++ b/features/support/config.rb
@@ -70,7 +70,6 @@ MISC_FILES_DIR = "#{Dir.pwd}/features/misc_files"
SERVICES_EXPECTED_ON_ALL_IFACES =
[
["cupsd", "0.0.0.0", "631"],
- ["dhclient", "0.0.0.0", "*"]
]
# OpenDNS
SOME_DNS_SERVER = "208.67.222.222"
diff --git a/wiki/src/contribute/design/Tor_enforcement/DNS.mdwn b/wiki/src/contribute/design/Tor_enforcement/DNS.mdwn
index 079910d..fdcd636 100644
--- a/wiki/src/contribute/design/Tor_enforcement/DNS.mdwn
+++ b/wiki/src/contribute/design/Tor_enforcement/DNS.mdwn
@@ -20,10 +20,9 @@ used to run the [[contribute/design/Unsafe_Browser]], which uses the
DNS server provided for DHCP for resolving.
`resolv.conf` is configured to point to the Tor DNS resolver, and <span
-class="application">NetworkManager<span> and `dhclient` are configured
+class="application">NetworkManager<span>is configured
not to manage `resolv.conf` at all:
* [[!tails_gitweb config/chroot_local-includes/etc/resolv.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/conf.d/dns.conf]]
-* [[!tails_gitweb config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]