commit: 6739ee69e69a954bc27a3040ab59d46b82582229 Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> AuthorDate: Sun Oct 22 17:22:30 2017 +0000 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> CommitDate: Sun Oct 22 17:40:01 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6739ee69
net-analyzer/arpwatch: new revision to fix privilege escalation. In previous revisions, the init script for arpwatch called "chown" as root on a location under /var/lib/arpwatch -- a path that is controlled by the "arpwatch" user per its ebuild. That could be exploited by the "arpwatch" user to take control of root-owned files. This new revision comes with a new init script and conf.d file that completely rework the way instances are created and run. The "arpwatch" user is hard-coded, because as was mentioned, the ebuild sets some important permissions for that user. Since it is not possible to change that user, the need for "chown" is eliminated. Separate instances are now created by symlinking the init script (like our network interface scripts), rather than by enumerating them in a single arpwatch init script. Upgraders will want to review their configurations. Bug: https://bugs.gentoo.org/602552 Package-Manager: Portage-2.3.8, Repoman-2.3.3 net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild | 69 ++++++++++++++++++++++++ net-analyzer/arpwatch/files/arpwatch.confd-r1 | 17 ++++++ net-analyzer/arpwatch/files/arpwatch.initd-r1 | 27 ++++++++++ 3 files changed, 113 insertions(+) diff --git a/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild new file mode 100644 index 00000000000..986da0386f7 --- /dev/null +++ b/net-analyzer/arpwatch/arpwatch-2.1.15-r10.ebuild @@ -0,0 +1,69 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit user versionator + +PATCH_VER="0.8" +MY_P="${PN}-$(replace_version_separator 2 'a')" + +DESCRIPTION="An ethernet monitor program that keeps track of ethernet/IP address pairings" +HOMEPAGE="http://ee.lbl.gov/"; +SRC_URI=" + ftp://ftp.ee.lbl.gov/${MY_P}.tar.gz + https://dev.gentoo.org/~jer/arpwatch-patchset-${PATCH_VER}.tar.xz +" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~hppa ~ppc ~sparc ~x86 ~x86-fbsd" +IUSE="selinux" + +DEPEND=" + net-libs/libpcap + sys-libs/ncurses:* +" +RDEPEND=" + ${DEPEND} + selinux? ( sec-policy/selinux-arpwatch ) +" + +S="${WORKDIR}/${MY_P}" + +pkg_setup() { + # We need to create /var/lib/arpwatch with this group, so it must + # exist during src_install. + enewgroup arpwatch +} + +pkg_postinst() { + # The user, however, is not needed until runtime. + enewuser arpwatch -1 -1 -1 arpwatch +} + +src_prepare() { + local patchdir="${WORKDIR}/arpwatch-patchset" + + eapply "${patchdir}"/*.patch + eapply_user + + cp "${patchdir}"/*.8 ./ || die "failed to copy man pages from ${patchdir}" +} + +src_install () { + dosbin arpwatch arpsnmp arp2ethers massagevendor arpfetch bihourly.sh + doman arpwatch.8 arpsnmp.8 arp2ethers.8 massagevendor.8 arpfetch.8 bihourly.8 + + insinto /usr/share/arpwatch + doins ethercodes.dat + + insinto /usr/share/arpwatch/awk + doins duplicates.awk euppertolower.awk p.awk e.awk d.awk + + diropts --group=arpwatch --mode=770 + dodir /var/lib/arpwatch + dodoc README CHANGES + + newinitd "${FILESDIR}"/arpwatch.initd-r1 arpwatch + newconfd "${FILESDIR}"/arpwatch.confd-r1 arpwatch +} diff --git a/net-analyzer/arpwatch/files/arpwatch.confd-r1 b/net-analyzer/arpwatch/files/arpwatch.confd-r1 new file mode 100644 index 00000000000..a4da503406a --- /dev/null +++ b/net-analyzer/arpwatch/files/arpwatch.confd-r1 @@ -0,0 +1,17 @@ +# See arpwatch.8 for more information + +# Specify the interface for arpwatch to listen on here (default: lo). +# If you need to listen on more than one interface, you should +# run multiple arpwatch services; for example "arpwatch" and +# "arpwatch.eth1". These additional services can be configured by +# symlinking to the "arpwatch" service script, and by creating a new +# conf.d file whose name matches the new service (symlink) name. +# +# Example: +# +# ARPWATCH_IFACE="eth0" +# +ARPWATCH_IFACE="lo" + +# Additional options to pass to arpwatch. +ARPWATCH_OPTS="-N -p" diff --git a/net-analyzer/arpwatch/files/arpwatch.initd-r1 b/net-analyzer/arpwatch/files/arpwatch.initd-r1 new file mode 100644 index 00000000000..ffe165205c6 --- /dev/null +++ b/net-analyzer/arpwatch/files/arpwatch.initd-r1 @@ -0,0 +1,27 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Default to "lo" for the interface, so that the init script will work +# out-of-the-box. +: ${ARPWATCH_IFACE:=lo} + +ARPWATCH_DATAFILE="/var/lib/arpwatch/${RC_SVCNAME}.dat" + +command="/usr/sbin/arpwatch" +pidfile="/run/${RC_SVCNAME}.pid" +command_args="-i ${ARPWATCH_IFACE} + -u arpwatch + -f ${ARPWATCH_DATAFILE} + -P ${pidfile} + ${ARPWATCH_OPTS}" + +depend() { + need "net.${ARPWATCH_IFACE}" +} + +start_pre() { + # The "arpwatch" user must be a member of the "arpwatch" group for + # this to work. + checkpath --file --owner root:arpwatch --mode 0660 "${ARPWATCH_DATAFILE}" +}
