On Thu, Feb 26, 2004 at 09:47:26PM +0200, Pekka Savola wrote:
> 
> On Thu, 26 Feb 2004, Andrew Pimlott wrote:
> > - It is really not much trouble to drop root in the setuid root case.
> >   The appended patch does this.  Note that now, geteuid() is the
> >   appropriate thing to check, above.
> 
> Hmm.. IMHO, the code gets a bit harder to follow: to trace whether it 
> works fine you'll have to check a bunch of calls to check that all the 
> seteuid()'s are really dropped properly .. this makes it harder to 
> understand; that's why I have wanted to avoid this.

True.

> My argument is that setuid-tcpdump is already such a wacky corner case 
> that adding code to deal with that isn't probably worth the effort. 

I also tend to agree, but Jefferson had the opinion that it is kind to
protect these wacky people as well.  :-)

> > - initgroups does not really work after chroot, because it needs to open
> >   the groups file.  On my (Linux) system, it seems to fall-back to
> >   setting only the give gid, however it might behave less gracefully on
> >   other systems.  I think it is better to initgroups before chroot.
> 
> Good point.  Or simpler, just do 'setgroups(0, NULL)' instead of 
> initgroups?  Not maybe pedantically 100% correct, but serves the 
> purpose..

I agree.

> > - The resolver problem appears to be serious.  I doubt there is any
> >   system that can do name resolution in a chroot, at least without
> >   somehow preparing beforehand.  My system appears to fall back
> >   gracefully to printing numbers, but I don't think this regression is
> >   acceptible.  Is it possible that if you do a gethostbyaddr before the
> >   chroot, it will read/open all necessary files, so that it will still
> >   work after the chroot?  If this can't be made to work on all
> >   platforms, an option not to chroot is required.
> 
> Hmm.. this should be looked at, I guess.  Remember though that 
> gethostbyaddr is possibly not enough as one could look up IPv6 records 
> too.  

So the problem seems rather intractable.  Unless someone comes up with a
clever solution, I'm afraid that chrooting when the -n option is not
specified (ie, when the user expects name resolution) will break users'
expectations.  That's a shame.

Andrew
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]

Reply via email to