On Tue, Sep 27, 2016 at 01:03:55PM +0100, Stuart Henderson wrote:
> On 2016/09/27 12:23, Stuart Henderson wrote:
> > On 2016/09/27 11:12, Florian Obser wrote:
> > > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote:
> > > > I just discovered an implication of the ping/traceroute changes:
> > > > bgplg users now need pwd.db in /var/www/etc.
> > > >
> > >
> > > Ooops. I guess this is a documentation problem?
> >
> > I think so ... this is one way to do it:
> >
> > # grep -e ^_ping -e ^_traceroute /etc/master.passwd >
> > /var/www/etc/master.passwd.bgplg
> > # pwd_mkdb -d /var/www/etc master.passwd.bgplg
> >
>
> An alternative might be to allow the privdrop to fail as long as
> the calling user isn't root.
Maybe I will say something stupid, but ping(1) or traceroute(1) are suid
root:
$ ls -l /usr/sbin/traceroute /sbin/ping
-r-sr-xr-x 2 root bin 219408 Sep 23 03:04 /sbin/ping*
-r-sr-xr-x 2 root bin 34616 Sep 23 03:04 /usr/sbin/traceroute*
So not calling privdrop (setgroups+setresgid+setresuid) when real uid
isn't root will still make the program run with effective uid as root,
isn't it ?
I think we always want to drop effective uid once SOCK_RAW socket has
been opened.
Thanks.
--
Sebastien Marie
> Index: usr.sbin/traceroute/traceroute.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
> retrieving revision 1.148
> diff -u -p -r1.148 traceroute.c
> --- usr.sbin/traceroute/traceroute.c 27 Sep 2016 05:33:46 -0000 1.148
> +++ usr.sbin/traceroute/traceroute.c 27 Sep 2016 12:03:19 -0000
> @@ -347,9 +347,10 @@ main(int argc, char *argv[])
>
> /* revoke privs */
> uid = getuid();
> - if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
> - errx(1, "no %s user", TRACEROUTE_USER);
> - if (setgroups(1, &pw->pw_gid) ||
> + if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
> + if (uid == 0)
> + errx(1, "no %s user", TRACEROUTE_USER);
> + } else if (setgroups(1, &pw->pw_gid) ||
> setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> err(1, "unable to revoke privs");
> Index: sbin/ping/ping.c
> ===================================================================
> RCS file: /cvs/src/sbin/ping/ping.c,v
> retrieving revision 1.215
> diff -u -p -r1.215 ping.c
> --- sbin/ping/ping.c 26 Sep 2016 16:42:46 -0000 1.215
> +++ sbin/ping/ping.c 27 Sep 2016 12:03:19 -0000
> @@ -275,9 +275,10 @@ main(int argc, char *argv[])
>
> /* revoke privs */
> uid = getuid();
> - if ((pw = getpwnam(PING_USER)) == NULL)
> - errx(1, "no %s user", PING_USER);
> - if (setgroups(1, &pw->pw_gid) ||
> + if ((pw = getpwnam(PING_USER)) == NULL) {
> + if (uid == 0)
> + errx(1, "no %s user", PING_USER);
> + } else if (setgroups(1, &pw->pw_gid) ||
> setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> err(1, "unable to revoke privs");
>
