Package: honeyd Version: 1.0-6
Linux 2.4.27-2-686 i686 GNU/Linux libc6 Version: 2.3.2.ds1-20
Brief description:
a) honeyd documentation and conf file suggest setting templates as uid
65534 gid 65534 (nobody). This prevents honeyd from activating
contributed scripts since the shipped version runs uid 101 gid 104 (honeyd). Related to bug #293731.
b) contributed scripts should be launched with full path and appropriate permission on their log files.
a) honeyd user and group
/usr/share/doc/honeyd/README.Debian lines 41-45 states:
"- run the scripts as a user with very low privileges. This is done by modifying the default template provided with honeyd. Debian's default template has:
set template uid 65534 gid 65534"
The conf file /etc/honeypot/honeyd.conf lines 19-20 also has:
"# Debian-specific (use nobody = 65534 instead of 32767) set template uid 65534 gid 65534"
However, honeyd runs with uid 101 gid 104 as shown by this /var/log/honeypot/daemon.log:
honeyd[9421]: started with -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 101 -g 104 --disable-webserver -i eth0
Therefore, if you edit honeyd.conf setting a template uid 65534 gid 65534, honeyd will not execute a contributed script, for example /usr/share/honeyd/scripts/web.sh
This is an excerpt from /var/log/syslog:
Apr 21 16:27:22 localhost honeyd[8181]: cmd_droppriv: setgroups(65534) failed cmd_droppriv: setregid(65534) failed cmd_droppriv: setegid(65534) failed cmd_droppriv: setgid(65534) failed cmd_droppriv: setuid(65534) failed cmd_droppriv: could not set gid to 65534
I suggest the documentation states which are the appropriate user and group.
b) issues with contributed scripts
This issues are minor, scripts are contributed and should be always double-checked for security reasons.
b1) full path required
Setting up a template in honeyd.conf that adds a script to a port, in the common honeyd way seem not correct.
Line from honeyd.conf:
add template tcp port 80 "sh scripts/web.sh"
Excerpt from /var/log/syslog:
Apr 21 18:42:49 localhost honeyd[8685]: E(159.149.xxx.xxx:36486 - 159.149.yyy.yyy:80): honeyd: cmd_fork: execv(scripts/web.sh): No such file or directory
b2) permissions for scripts logfile
Line from honeyd.conf:
add template tcp port 80 "sh usr/share/honeyd/scripts/web.sh"
Excerpt from /var/log/syslog:
Apr 21 18:44:11 localhost honeyd[8718]: E(159.149.xxx.xx:36487 - 159.149.yyy.yyy:80): /usr/share/honeyd/scripts/web.sh: line 10: /tmp/log: Permission denied
Preventing a script to write is a good idea, but the documentation could inform about that.
Best regards,
Jan Reister
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
