On 2016/09/27 12:23, Stuart Henderson wrote:
> On 2016/09/27 11:12, Florian Obser wrote:
> > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote:
> > > I just discovered an implication of the ping/traceroute changes:
> > > bgplg users now need pwd.db in /var/www/etc.
> > >
> >
> > Ooops. I guess this is a documentation problem?
>
> I think so ... this is one way to do it:
>
> # grep -e ^_ping -e ^_traceroute /etc/master.passwd >
> /var/www/etc/master.passwd.bgplg
> # pwd_mkdb -d /var/www/etc master.passwd.bgplg
>
An alternative might be to allow the privdrop to fail as long as
the calling user isn't root.
Index: usr.sbin/traceroute/traceroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.148
diff -u -p -r1.148 traceroute.c
--- usr.sbin/traceroute/traceroute.c 27 Sep 2016 05:33:46 -0000 1.148
+++ usr.sbin/traceroute/traceroute.c 27 Sep 2016 12:03:19 -0000
@@ -347,9 +347,10 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
- errx(1, "no %s user", TRACEROUTE_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
+ if (uid == 0)
+ errx(1, "no %s user", TRACEROUTE_USER);
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");
Index: sbin/ping/ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.215
diff -u -p -r1.215 ping.c
--- sbin/ping/ping.c 26 Sep 2016 16:42:46 -0000 1.215
+++ sbin/ping/ping.c 27 Sep 2016 12:03:19 -0000
@@ -275,9 +275,10 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(PING_USER)) == NULL)
- errx(1, "no %s user", PING_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(PING_USER)) == NULL) {
+ if (uid == 0)
+ errx(1, "no %s user", PING_USER);
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");