>> > What about an ENABLE_FEATURE_FAKEIDENTD_SETUID config-option which
>> > optionally
>> > allows to drop privileges to a specified uid/gid?
>>
>> For what purpose? Do you see any way fakeidentd
>> can be compromised?
>
> No, I don't. Even the code is quite trivial, I don't have a good feeling
> running such services
> as root. I considered this just as a precaution.
>
> In the original (?) fakeidentd
> <http://www.guru-group.fi/~too/sw/releases/identd.c>
> there was an overflow-bug
> (<https://www.sans.org/newsletters/sac/sac2_31.php>).
Use "tcpsvd -u <user>:<group> 0 113 fakeidentd -i" then.
# fakeidentd --help
BusyBox v1.12.0.svn (2008-07-06 13:04:39 CEST) multi-call binary
Usage: fakeidentd [-fiw] [-b ADDR] [STRING]
Provide fake ident (auth) service
Options:
-f Run in foreground
-i Inetd mode
-w Inetd 'wait' mode
-b ADDR Bind to specified address
STRING Ident answer string (default is 'nobody')
# tcpsvd --help
BusyBox v1.12.0.svn (2008-07-06 13:04:39 CEST) multi-call binary
Usage: tcpsvd [-hEv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] ip
port prog...
Create TCP socket, bind it to ip:port and listen
for incoming connection. Run PROG for each connection.
ip IP to listen on. '0' = all
port Port to listen on
prog [arg] Program to run
-l name Local hostname (else looks up local hostname in DNS)
-u user[:group] Change to user/group after bind
-c n Handle up to n connections simultaneously
-b n Allow a backlog of approximately n TCP SYNs
-C n[:msg] Allow only up to n connections from the same IP
New connections from this IP address are closed
immediately. 'msg' is written to the peer before close
-h Look up peer's hostname
-E Do not set up environment variables
-v Verbose
--
vda
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
