Re: traceroute(8): drop to _traceroute user

Tue, 27 Sep 2016 05:04:58 -0700 

On 2016/09/27 12:23, Stuart Henderson wrote:
> On 2016/09/27 11:12, Florian Obser wrote:
> > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote:
> > > I just discovered an implication of the ping/traceroute changes:
> > > bgplg users now need pwd.db in /var/www/etc.
> > > 
> > 
> > Ooops. I guess this is a documentation problem?
> 
> I think so ... this is one way to do it:
> 
> # grep -e ^_ping -e ^_traceroute /etc/master.passwd > 
> /var/www/etc/master.passwd.bgplg
> # pwd_mkdb -d /var/www/etc master.passwd.bgplg
> 

An alternative might be to allow the privdrop to fail as long as
the calling user isn't root.

Index: usr.sbin/traceroute/traceroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.148
diff -u -p -r1.148 traceroute.c
--- usr.sbin/traceroute/traceroute.c    27 Sep 2016 05:33:46 -0000      1.148
+++ usr.sbin/traceroute/traceroute.c    27 Sep 2016 12:03:19 -0000
@@ -347,9 +347,10 @@ main(int argc, char *argv[])
 
        /* revoke privs */
        uid = getuid();
-       if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
-               errx(1, "no %s user", TRACEROUTE_USER);
-       if (setgroups(1, &pw->pw_gid) ||
+       if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
+               if (uid == 0)
+                       errx(1, "no %s user", TRACEROUTE_USER);
+       } else if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                err(1, "unable to revoke privs");
Index: sbin/ping/ping.c
===================================================================
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.215
diff -u -p -r1.215 ping.c
--- sbin/ping/ping.c    26 Sep 2016 16:42:46 -0000      1.215
+++ sbin/ping/ping.c    27 Sep 2016 12:03:19 -0000
@@ -275,9 +275,10 @@ main(int argc, char *argv[])
 
        /* revoke privs */
        uid = getuid();
-       if ((pw = getpwnam(PING_USER)) == NULL)
-               errx(1, "no %s user", PING_USER);
-       if (setgroups(1, &pw->pw_gid) ||
+       if ((pw = getpwnam(PING_USER)) == NULL) {
+               if (uid == 0)
+                       errx(1, "no %s user", PING_USER);
+       } else if (setgroups(1, &pw->pw_gid) ||
            setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                err(1, "unable to revoke privs");

Reply via email to