Группа :: Мониторинг
Пакет: tcptraceroute
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: tcptraceroute-1.5beta6-alt-droppriv.patch
Скачать
Скачать
diff -uprk.orig tcptraceroute-1.5beta6.orig/configure.ac tcptraceroute-1.5beta6/configure.ac
--- tcptraceroute-1.5beta6.orig/configure.ac 2004-12-28 06:40:54 +0300
+++ tcptraceroute-1.5beta6/configure.ac 2005-01-03 19:44:57 +0300
@@ -24,6 +24,7 @@ AC_CHECK_FUNC(gethostbyname, ,[AC_CHECK_
AC_CHECK_FUNC(socket, ,[AC_CHECK_LIB(socket, socket)])
AC_CHECK_FUNC(connect, ,[AC_CHECK_LIB(inet, connect)])
AC_CHECK_FUNC(inet_aton, ,[AC_CHECK_LIB(resolv, inet_aton)])
+AC_CHECK_LIB(cap, cap_from_text, ,[AC_MSG_ERROR([cannot find libcap])])
AC_ARG_WITH(pcap, [],
[
diff -uprk.orig tcptraceroute-1.5beta6.orig/droppriv.c tcptraceroute-1.5beta6/droppriv.c
--- tcptraceroute-1.5beta6.orig/droppriv.c 1970-01-01 03:00:00 +0300
+++ tcptraceroute-1.5beta6/droppriv.c 2005-01-03 19:44:57 +0300
@@ -0,0 +1,97 @@
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <stdlib.h>
+#include <error.h>
+#include <errno.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <sys/capability.h>
+#include <sys/prctl.h>
+
+#include "droppriv.h"
+
+uid_t user_uid = -1;
+
+void
+priv_minimize (void)
+{
+ const char *dir = "/var/resolv";
+ cap_t caps;
+ uid_t uid;
+ gid_t gid;
+
+ user_uid = getuid ();
+ if (user_uid && geteuid())
+ return;
+
+ if (setgroups (0, NULL) < 0)
+ error (EXIT_FAILURE, errno, "setgroups");
+
+ if (prctl (PR_SET_KEEPCAPS, 1))
+ error (EXIT_FAILURE, errno, "prctl (PR_SET_KEEPCAPS, 1) failed");
+
+ if (user_uid == 0)
+ {
+ const char user[] = "iputils";
+ struct passwd *pw = getpwnam (user);
+
+ if (!pw)
+ error (EXIT_FAILURE, 0, "lookup of user \"%s\" failed", user);
+
+ gid = pw->pw_gid;
+ uid = pw->pw_uid;
+ endpwent ();
+
+ if (uid == 0)
+ error (EXIT_FAILURE, 0, "user \"%s\" shouldn't be root", user);
+ } else {
+ uid = user_uid;
+ gid = getgid ();
+ }
+
+ if (chroot (dir) < 0 || chdir ("/") < 0)
+ error (EXIT_FAILURE, errno, "chroot to \"%s\" failed", dir);
+
+ if (setgid (gid) < 0)
+ error (EXIT_FAILURE, errno, "setgid");
+
+ caps = cap_from_text ("cap_setuid,cap_net_raw,cap_net_bind_service=ep");
+ if (!caps)
+ error (EXIT_FAILURE, errno, "cap_from_text failed");
+
+ if (cap_set_proc (caps) < 0)
+ error (EXIT_FAILURE, errno, "cap_set_proc failed");
+
+ cap_free (caps);
+
+ if (setreuid (uid, uid) < 0)
+ error (EXIT_FAILURE, errno, "setreuid");
+
+ caps = cap_from_text ("cap_net_raw,cap_net_bind_service=ep");
+ if (!caps)
+ error (EXIT_FAILURE, errno, "cap_from_text failed");
+
+ if (cap_set_proc (caps) < 0)
+ error (EXIT_FAILURE, errno, "cap_set_proc failed");
+
+ cap_free (caps);
+}
+
+void
+priv_drop (void)
+{
+ cap_t caps;
+
+ caps = cap_from_text ("all-ep");
+ if (!caps)
+ error (EXIT_FAILURE, errno, "cap_from_text failed");
+
+ if (cap_set_proc (caps) < 0)
+ error (EXIT_FAILURE, errno, "cap_set_proc failed");
+
+ cap_free (caps);
+}
diff -uprk.orig tcptraceroute-1.5beta6.orig/droppriv.h tcptraceroute-1.5beta6/droppriv.h
--- tcptraceroute-1.5beta6.orig/droppriv.h 1970-01-01 03:00:00 +0300
+++ tcptraceroute-1.5beta6/droppriv.h 2005-01-03 19:44:57 +0300
@@ -0,0 +1,12 @@
+#ifndef TCPTRACEROUTE_DROPPRIV_H__
+#define TCPTRACEROUTE_DROPPRIV_H__
+
+#include <sys/types.h>
+
+extern void priv_minimize(void);
+extern void priv_drop(void);
+
+extern uid_t user_uid;
+
+#endif /* TCPTRACEROUTE_DROPPRIV_H__ */
+
diff -uprk.orig tcptraceroute-1.5beta6.orig/main.c tcptraceroute-1.5beta6/main.c
--- tcptraceroute-1.5beta6.orig/main.c 2005-01-03 19:44:26 +0300
+++ tcptraceroute-1.5beta6/main.c 2005-01-03 19:47:27 +0300
@@ -21,6 +21,7 @@
*/
#include "tcptraceroute.h"
+#include "droppriv.h"
/* globals */
u_long dst_ip, src_ip, isn;
@@ -249,6 +250,8 @@ int main(int argc, char **argv)
char *optstring, *s;
int op, i, exitcode;
+ priv_minimize();
+
src_ip = 0;
src_prt = 0;
dst_prt = DEFAULT_PORT;
@@ -450,7 +453,7 @@ int main(int argc, char **argv)
case 'P': /* ARG */
o_forceport = 1;
case 'p': /* ARG */
- if (getuid()) fatal("Sorry, must be root to use -p\n");
+ if (user_uid) fatal("Sorry, must be root to use -p\n");
src_prt = checknumericarg();
debug("src_prt set to %d\n", src_prt);
break;
@@ -466,7 +469,7 @@ int main(int argc, char **argv)
break;
case 's': /* ARG */
- if (getuid()) fatal("Sorry, must be root to use -s\n");
+ if (user_uid) fatal("Sorry, must be root to use -s\n");
src = optarg;
break;
@@ -529,13 +532,10 @@ int main(int argc, char **argv)
usage(1);
}
- if (getuid() & geteuid())
- fatal("Got root?\n");
-
initlibnet();
defaults();
initcapture();
- setuid(getuid());
+ priv_drop();
exitcode = trace();
#if (LIBNET_API_VERSION >= 110)
libnet_destroy(libnet_context);
diff -uprk.orig tcptraceroute-1.5beta6.orig/Makefile.am tcptraceroute-1.5beta6/Makefile.am
--- tcptraceroute-1.5beta6.orig/Makefile.am 2004-12-28 02:57:56 +0300
+++ tcptraceroute-1.5beta6/Makefile.am 2005-01-03 19:48:23 +0300
@@ -1,5 +1,5 @@
bin_PROGRAMS = tcptraceroute
-tcptraceroute_SOURCES = main.c datalink.c util.c probe.c capture.c
+tcptraceroute_SOURCES = main.c datalink.c util.c probe.c capture.c droppriv.c
man_MANS = tcptraceroute.1
docdir = $(datadir)/doc/tcptraceroute