On Wed, Jun 04, 2008 at 09:32:51PM +0930, Nick Manser wrote: > A quick-fix is to make the /var/log/honeypot worldwide accessible using > chmod command; however, this seems to violate the security of the honeyd > installation. The logfile and honeypot/ directory should be accessible > by the honeyd user, and the daemon should run as the honeyd user rather > than being demoted to nobody.
The problem here is that even upstream introduced a '-u' and '-g' flags these
get overwritten by the call to honeyd_init() which rewrites honeyd_uid and
honeyd_gid *after* the flags have been interpreted:
honeyd_init(void)
{
(...)
/* Find the correct ids for nobody */
if ((pwd = getpwnam("nobody")) != NULL) {
honeyd_uid = pwd->pw_uid;
honeyd_gid = pwd->pw_gid;
}
(...)
I'm going to introduce a workaround in that function so that it only
overwrites those values if the uid/gid corresponde to the ones set in the
header definition:
uid_t honeyd_uid = 32767;
gid_t honeyd_gid = 32767;
Expect a new package in unstable soon fixing this issue.
Regards
Javier
signature.asc
Description: Digital signature
