Your message dated Sun, 07 Jun 2015 22:21:19 +0000
with message-id <[email protected]>
and subject line Bug#477401: fixed in httptunnel 3.3+dfsg-4
has caused the Debian Bug report #477401,
regarding package "httptunnel" has no chroot/setuid/setgid support
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
477401: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477401
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: httptunnel
Version: 3.3+dfsg-1
Severity: normal
Tags: security,patch,upstream
hts (httptunnel server side program) provides no way to downgrade
privileges after all sockets are open.
That means some hacks (ie: capabilities) need to be done to bind
privileged port (ie: 80) when using unprivileged user (ie: nobody).
Furthermore no privilege are needed once the tunnel is created.
The attached patch add 2 more arguments to hts command line:
-C, --chroot LOCATION
-u, --user USERNAME
Privileges are downgraded after tunnel_new_server() call
(chroot,getpwnam+setgid+setuid)
Patch tested and working on 1 Debian testing + 1 Debian unstable (both x86).
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18.3-crazy
Versions of packages file depends on:
ii libc6 2.6.1-1 GNU C Library: Shared libraries
diff -Nur httptunnel-3.3+dfsg/hts.1 httptunnel-3.3.new/hts.1
--- httptunnel-3.3+dfsg/hts.1 2008-04-22 22:30:25.000000000 +0200
+++ httptunnel-3.3.new/hts.1 2008-04-22 22:32:57.000000000 +0200
@@ -44,6 +44,12 @@
.TP
.B \-p, \-\-pid\-file LOCATION
write a PID file to LOCATION
+.TP
+.B \-C, \-\-chroot LOCATION
+chroot to LOCATION before serving clients
+.TP
+.B \-u, \-\-user USER
+change user and group identities before serving clients
.SH AUTHOR
This manual page was contributed by Teemu Hukkanen <[email protected]>,
and was originally written for the Debian GNU/Linux system.
diff -Nur httptunnel-3.3+dfsg/hts.c httptunnel-3.3.new/hts.c
--- httptunnel-3.3+dfsg/hts.c 2001-02-25 12:56:37.000000000 +0100
+++ httptunnel-3.3.new/hts.c 2008-04-22 01:42:43.000000000 +0200
@@ -13,6 +13,8 @@
#include <signal.h>
#include <sys/poll_.h>
#include <sys/time.h>
+#include <time.h>
+#include <pwd.h>
#include "common.h"
@@ -31,6 +33,8 @@
int strict_content_length;
int keep_alive;
int max_connection_age;
+ char *chroot_path;
+ char *user;
} Arguments;
int debug_level = 0;
@@ -67,6 +71,8 @@
" -V, --version output version information and exit\n"
" -w, --no-daemon don't fork into the background\n"
" -p, --pid-file LOCATION write a PID file to LOCATION\n"
+" -C, --chroot LOCATION chroot to LOCATION before serving clients\n"
+" -u, --user USERNAME change user id before serving clients\n"
"\n"
"Report bugs to %s.\n",
me, DEFAULT_HOST_PORT, DEFAULT_KEEP_ALIVE,
@@ -93,6 +99,8 @@
arg->strict_content_length = FALSE;
arg->keep_alive = DEFAULT_KEEP_ALIVE;
arg->max_connection_age = DEFAULT_CONNECTION_MAX_TIME;
+ arg->chroot_path = NULL;
+ arg->user = NULL;
for (;;)
{
@@ -114,10 +122,12 @@
{ "forward-port", required_argument, 0, 'F' },
{ "content-length", required_argument, 0, 'c' },
{ "max-connection-age", required_argument, 0, 'M' },
+ { "chroot", required_argument, 0, 'C' },
+ { "user", required_argument, 0, 'u' },
{ 0, 0, 0, 0 }
};
- static const char *short_options = "c:d:F:hk:M:p:sSVw"
+ static const char *short_options = "c:C:d:F:hk:M:p:sSu:Vw"
#ifdef DEBUG_MODE
"D:l:"
#endif
@@ -140,6 +150,10 @@
case 'c':
arg->content_length = atoi_with_postfix (optarg);
break;
+
+ case 'C':
+ arg->chroot_path = optarg;
+ break;
case 'd':
arg->device = optarg;
@@ -203,6 +217,10 @@
case 'p':
arg->pid_filename = optarg;
break;
+
+ case 'u':
+ arg->user = optarg;
+ break;
case 'w':
arg->use_daemon = FALSE;
@@ -278,6 +296,8 @@
Arguments arg;
Tunnel *tunnel;
FILE *pid_file;
+ uid_t uid;
+ gid_t gid;
parse_arguments (argc, argv, &arg);
@@ -307,6 +327,10 @@
log_notice (" debug_level = %d", debug_level);
log_notice (" pid_filename = %s",
arg.pid_filename ? arg.pid_filename : "(null)");
+ log_notice (" chroot_path = %s",
+ arg.chroot_path ? arg.chroot_path : "(null)");
+ log_notice (" user = %s",
+ arg.user ? arg.user : "(null)");
tunnel = tunnel_new_server (arg.host, arg.port, arg.content_length);
if (tunnel == NULL)
@@ -315,6 +339,36 @@
log_exit (1);
}
+ if (arg.user)
+ {
+ struct passwd *pwd;
+ pwd = getpwnam(arg.user);
+ if (!pwd)
+ {
+ log_error ("couldn't chroot to %s", arg.chroot_path);
+ log_exit (1);
+ }
+ uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
+ endpwent();
+ }
+
+ if (arg.chroot_path && chroot(arg.chroot_path))
+ {
+ log_error ("couldn't chroot to %s", arg.chroot_path);
+ log_exit (1);
+ }
+
+ if (arg.user)
+ {
+ if (setgid(gid) || setuid(uid))
+ {
+ log_error ("couldn't change identity to %u:%u", uid, gid);
+ log_exit (1);
+ }
+ }
+
+
if (tunnel_setopt (tunnel, "strict_content_length",
&arg.strict_content_length) == -1)
log_debug ("tunnel_setopt strict_content_length error: %s",
--- End Message ---
--- Begin Message ---
Source: httptunnel
Source-Version: 3.3+dfsg-4
We believe that the bug you reported is fixed in the latest version of
httptunnel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Teemu Hukkanen <[email protected]> (supplier of updated httptunnel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2015 12:04:29 +0300
Source: httptunnel
Binary: httptunnel
Architecture: source amd64
Version: 3.3+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Teemu Hukkanen <[email protected]>
Changed-By: Teemu Hukkanen <[email protected]>
Description:
httptunnel - Tunnels a data stream in HTTP requests
Closes: 477401
Changes:
httptunnel (3.3+dfsg-4) unstable; urgency=medium
.
* Use dh_autoreconf.
* Enable hardening.
* Pick changes from upstream:
- 08-fix-setsockopt-bugs
- 09-upstream-faq-updates
- 10-upstream-debug-arg-required-in-debug
- 11-upstream-use-fputs-fputc
- 12-upstream-tunnel-h-doc
- 13-upstream-chroot-user-opts (Closes: #477401)
* Add patch 14-manpage-chroot-user-opts, adding chroot and user options
to the manpage.
* Add patch 15-modern_autoconf from upstream, drop partially duplicate
07-quote-autoconf-definitions.
* Bump Standards-Version to 3.9.6, no changes needed.
Checksums-Sha1:
ad320cd6d23070ec3be171a1ad43261ce1ae4e8b 1759 httptunnel_3.3+dfsg-4.dsc
ab52c03444ccdf5bfe7e1ede0bcf093064c18bd8 13132
httptunnel_3.3+dfsg-4.debian.tar.xz
7abc89ea24a7a9aa735d3e914208fd27434b0c94 48956 httptunnel_3.3+dfsg-4_amd64.deb
Checksums-Sha256:
a63bccf9d70a73aecc0cf462895b2e1974abbd8349818708bf6d4d2f7427f32b 1759
httptunnel_3.3+dfsg-4.dsc
85794937548e65f2e356ad8a95b07a6ed11d9e0acd67eadd7d95437d64eb6757 13132
httptunnel_3.3+dfsg-4.debian.tar.xz
482251ad4bbd8f3f24155d06871c214884e1164537f0fadcbd175508b6ac76f3 48956
httptunnel_3.3+dfsg-4_amd64.deb
Files:
e7711568214eb2a876d995a2ba484056 1759 net optional httptunnel_3.3+dfsg-4.dsc
6d831e218e2b829cdbfec254c1cd62b0 13132 net optional
httptunnel_3.3+dfsg-4.debian.tar.xz
9a6edb73a8e68f4171c3fd2942239f2c 48956 net optional
httptunnel_3.3+dfsg-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVdJ/NAAoJEFNtV0icIAHQCWUP/2IbDhHocZapK7PNx8CknwE3
iMrP8mIbgnli4HncwqhFnB2nj0ga0uVX5CuUzdroz28DU6xJc1lL9QpEuzX0diCX
Ri58+GU9ducMGpJiopiReA5vDJponOKvCyxWY+aUvUzrM0FOcMNju6kt5bQ10cBb
25TJ6zTmxdsP5ZBPObClDX5e+CoSjopx7ZRISrWUV6lcZgRNXVQ01hQiWnb8VQ74
yOu2spXzAWYDE/NH5zb6HbB6/bTr7O8r4hxkNl/7x2XindG3ck1XuUIlOS+G75xs
mn/+IdPwagA6+rfCCFP0Jx1kmY4CfNDYJeQN371Jch/2o1xmXAe5n1Oas4+PIRLl
jYb72pjCX2jqIHMwvT1oFv/Gx92ZLGVCL4WpQXgOeByiFoQNR86gO0r9jd45g5Fp
pMn0x+RLbj4EdIcn09EMmDPnT1/NeCD/oUXfgrTSK9/rJX4yGCEgLV8pX/zACuGi
2Osn7Py6qHk+jByUzaM7E+7J1FUyaPTXLTon0Qis8n2ySz42jXKDWF++NtCeMBmf
0pFiwuMkgrHqid3UBS/d6rhiz0tzZ5sDYn3u6/YqhLbJ12a5QnUvSsPrwaKTLMy0
d6zeCcD3is6NCNt5k4BQKugaARZx7A1Us7hdS5ckGZMaOgc3aC4in0c5bHf9dBnr
tGzWX6EcL2J+Is5TxV4I
=U7/l
-----END PGP SIGNATURE-----
--- End Message ---
