On Mon, Feb 23, 2004 at 04:42:26AM -0500, Jefferson Ogata wrote: > You know after all that discussion on this topic last month, Andrew Pimlott > came up with a patch to do a chroot/setuid that no one has commented on, > AFAIK. Maybe it's worth looking at...?
I haven't touched the code since then, so the last patch I posted is still what you should look at.[1] To be perfectly honest, I am happy enough with simple uid dropping that I stopped paying attention when I heard that a patch for this had gone in. That said, I just looked at (didn't try running) the current code[2] and there appear to be some problems. - If tcpdump is setuid root, "tcpdump -Z root" enables anyone to read and write root's files, as well as get root from any exploit. - If root uses "tcpdump -Z nobody", he will not be able to read his own files with "-r" (my first patch had the same issue). I don't think this is desirable. He will also not be able to write his own files with "-w", and this problem existed in my patch as well. The simplest solution would seem to be doing the "-w" earlier, but I'm not sure. (This seems also to apply to -F, and perhaps something else I've missed in a quick scan of what happens after -Z is handled.) - It doesn't make sense for WITH_USER to be handled so much later than -Z. Perhaps the author noticed the above problems and decided to drop privileges later. Ok, but then -Z should be done later too. - initgroups(pw->pw_name, 0) causes gid 0 to be left in the supplemental group list. It should be initgroups(pw->pw_name, pw->pw_gid). Andrew [1] http://www.tcpdump.org/lists/workers/2004/01/msg00064.html [2] The relevant changes are http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.225&r2=1.226 http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.226&r2=1.227 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
