Репозиторий Sisyphus
Последнее обновление: 1 октября 2023 | Пакетов: 18631 | Посещений: 37720452
en ru br
Репозитории ALT
S:7.94-alt1
5.1: 5.00-alt2
4.1: 4.20-alt3
4.0: 4.11-alt1.1
3.0: 3.81-alt1
www.altlinux.org/Changes

Группа :: Мониторинг
Пакет: nmap

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

Патч: nmap-4.20-alt-owl-drop-priv.patch
Скачать

diff -urpN nmap-4.20-autoheader/MACLookup.cc nmap-4.20/MACLookup.cc
--- nmap-4.20-autoheader/MACLookup.cc	2006-11-06 02:14:45 +0000
+++ nmap-4.20/MACLookup.cc	2007-10-07 10:06:30 +0000
@@ -105,6 +105,7 @@
 #include "MACLookup.h"
 #include "nmap.h"
 #include "nmap_error.h"
+#include "droppriv.h"
 
 struct MAC_entry {
   int prefix; /* -1 means none set */
@@ -128,7 +129,7 @@ static inline int MACTableHash(int prefi
   return prefix % table_capacity;
 }
 
-static void mac_prefix_init() {
+void mac_prefix_init() {
   static int initialized = 0;
   if (initialized) return;
   initialized = 1;
diff -urpN nmap-4.20-autoheader/Makefile.in nmap-4.20/Makefile.in
--- nmap-4.20-autoheader/Makefile.in	2006-12-08 02:53:47 +0000
+++ nmap-4.20/Makefile.in	2007-10-07 09:34:54 +0000
@@ -48,11 +48,11 @@ TARGET = nmap
 TARGETNMAPFE=@TARGETNMAPFE@
 INSTALLNMAPFE=@INSTALLNMAPFE@
 
-export SRCS = main.cc nmap.cc targets.cc tcpip.cc nmap_error.cc utils.cc idle_scan.cc osscan.cc osscan2.cc output.cc scan_engine.cc timing.cc charpool.cc services.cc protocols.cc nmap_rpc.cc portlist.cc NmapOps.cc TargetGroup.cc Target.cc FingerPrintResults.cc service_scan.cc NmapOutputTable.cc MACLookup.cc nmap_tty.cc nmap_dns.cc @COMPAT_SRCS@
+export SRCS = main.cc nmap.cc targets.cc tcpip.cc nmap_error.cc utils.cc idle_scan.cc osscan.cc osscan2.cc output.cc scan_engine.cc timing.cc charpool.cc services.cc protocols.cc nmap_rpc.cc portlist.cc NmapOps.cc TargetGroup.cc Target.cc FingerPrintResults.cc service_scan.cc NmapOutputTable.cc MACLookup.cc nmap_tty.cc nmap_dns.cc droppriv.cc @COMPAT_SRCS@
 
-export HDRS = charpool.h FingerPrintResults.h global_structures.h idle_scan.h MACLookup.h nmap_amigaos.h nmap_dns.h nmap_error.h nmap.h NmapOps.h NmapOutputTable.h nmap_rpc.h nmap_tty.h nmap_winconfig.h osscan.h osscan2.h output.h portlist.h protocols.h scan_engine.h service_scan.h services.h TargetGroup.h Target.h targets.h tcpip.h timing.h utils.h
+export HDRS = charpool.h FingerPrintResults.h global_structures.h idle_scan.h MACLookup.h nmap_amigaos.h nmap_dns.h nmap_error.h nmap.h NmapOps.h NmapOutputTable.h nmap_rpc.h nmap_tty.h nmap_winconfig.h osscan.h osscan2.h output.h portlist.h protocols.h scan_engine.h service_scan.h services.h TargetGroup.h Target.h targets.h tcpip.h timing.h utils.h droppriv.h
 
-OBJS = main.o nmap.o targets.o tcpip.o nmap_error.o utils.o idle_scan.o osscan.o osscan2.o output.o scan_engine.o timing.o charpool.o services.o protocols.o nmap_rpc.o portlist.o NmapOps.o TargetGroup.o Target.o FingerPrintResults.o service_scan.o NmapOutputTable.o MACLookup.o nmap_tty.o nmap_dns.o @COMPAT_OBJS@
+OBJS = main.o nmap.o targets.o tcpip.o nmap_error.o utils.o idle_scan.o osscan.o osscan2.o output.o scan_engine.o timing.o charpool.o services.o protocols.o nmap_rpc.o portlist.o NmapOps.o TargetGroup.o Target.o FingerPrintResults.o service_scan.o NmapOutputTable.o MACLookup.o nmap_tty.o nmap_dns.o droppriv.o @COMPAT_OBJS@
 
 # %.o : %.cc -- nope this is a GNU extension
 .cc.o:
diff -urpN nmap-4.20-autoheader/configure.ac nmap-4.20/configure.ac
--- nmap-4.20-autoheader/configure.ac	2007-10-07 09:35:33 +0000
+++ nmap-4.20/configure.ac	2007-10-07 09:36:25 +0000
@@ -666,6 +666,49 @@ if test $ac_cv_ip_has_ip_sum = yes ; the
         AC_DEFINE(HAVE_IP_IP_SUM, 1, [Define to 1 for ip_sum member])
 fi
 
+try_drop_priv=no
+AC_CHECK_HEADERS(grp.h sys/capability.h sys/prctl.h)
+AC_CHECK_FUNC(chroot)
+AC_CHECK_FUNC(prctl,
+  [AC_CHECK_FUNC(setgid,
+    [AC_CHECK_FUNC(setgroups,
+      [AC_CHECK_FUNC(setreuid,
+        [try_drop_priv=yes
+	AC_CHECK_LIB(cap, cap_from_text, , [try_drop_priv=no])]
+      )]
+    )]
+  )]
+)
+
+AC_ARG_WITH(user,
+  [  --with-user=USERNAME    Lower root privileges by switching to user USERNAME])
+AC_MSG_CHECKING([whether to lower root privileges by default])
+if test -z "$with_user" -o "$try_drop_priv" = "no"; then
+       AC_MSG_RESULT(no)
+else
+       AC_DEFINE_UNQUOTED(NMAP_USER, "$withval", [Define user to switch during lowering privileges])
+       AC_MSG_RESULT(to \"$withval\")
+fi
+
+AC_ARG_WITH(chroot-empty,
+  [  --with-chroot-empty=DIRECTORY When lowering privileges and -n option is given, chroot to empty DIRECTORY])
+AC_MSG_CHECKING([whether to chroot when -n option is given])
+if test -z "$with_chroot_empty" -o "$try_drop_priv" = "no" -o "$ac_cv_func_chroot" = no; then
+       AC_MSG_RESULT(no)
+else
+       AC_DEFINE_UNQUOTED(NMAP_CHROOT_EMPTY, "$withval", [Define directory to chroot during lowering privileges if -n option is given])
+       AC_MSG_RESULT(to \"$withval\")
+fi
+
+AC_ARG_WITH(chroot-resolv,
+  [  --with-chroot-resolv=DIRECTORY When lowering privileges and -n option is not given, chroot to resolver DIRECTORY])
+AC_MSG_CHECKING([whether to chroot when -n option is not given])
+if test -z "$with_chroot_resolv" -o "$try_drop_priv" = "no" -o "$ac_cv_func_chroot" = no; then
+       AC_MSG_RESULT(no)
+else
+       AC_DEFINE_UNQUOTED(NMAP_CHROOT_RESOLV, "$withval", [Define directory to chroot during lowering privileges if -n option is not given])
+       AC_MSG_RESULT(to \"$withval\")
+fi
 
 dnl Checks for library functions.
 dnl AC_TYPE_SIGNAL
diff -urpN nmap-4.20-autoheader/droppriv.cc nmap-4.20/droppriv.cc
--- nmap-4.20-autoheader/droppriv.cc	1970-01-01 00:00:00 +0000
+++ nmap-4.20/droppriv.cc	2007-10-07 11:38:57 +0000
@@ -0,0 +1,93 @@
+#include "nmap.h"
+#include "droppriv.h"
+
+#ifndef NMAP_USER
+
+void drop_priv(void) {}
+
+#else
+
+#if HAVE_GRP_H
+# include <grp.h>
+#endif
+#if HAVE_SYS_CAPABILITY_H
+# include <sys/capability.h>
+#endif
+#if HAVE_SYS_PRCTL_H
+# include <sys/prctl.h>
+#endif
+
+#include "NmapOps.h"
+extern NmapOps o;		/* option structure */
+
+#ifndef NMAP_CHROOT_EMPTY
+# ifdef NMAP_CHROOT_RESOLV
+#  define NMAP_CHROOT_EMPTY NMAP_CHROOT_RESOLV
+# else
+#  define NMAP_CHROOT_EMPTY NULL
+# endif
+#endif
+
+#ifndef NMAP_CHROOT_RESOLV
+# define NMAP_CHROOT_RESOLV NULL
+#endif
+
+const char *
+drop_priv_dir(void)
+{
+	return o.noresolve ? NMAP_CHROOT_EMPTY : NMAP_CHROOT_RESOLV;
+}
+
+void
+drop_priv(void)
+{
+	const char *user = NMAP_USER;
+	const char *dir;
+	struct passwd *pw;
+	cap_t   caps;
+
+	if (geteuid())
+		return;
+
+	nmap_services_init();
+	nmap_protocols_init();
+	rpc_services_init();
+	AllProbes::service_scan_init();
+	routethrough_init();
+	mac_prefix_init();
+	if (!o.noresolve) etchosts_init();
+
+	if (setgroups(0, 0) < 0)
+		fatal("setgroups failed");
+
+	if (prctl(PR_SET_KEEPCAPS, 1))
+		fatal("prctl PR_SET_KEEPCAPS failed");
+
+	if (!(pw = getpwnam(user)))
+		fatal("lookup of user \"%s\" failed", user);
+	endpwent();
+
+	if (!pw->pw_uid)
+		fatal("user \"%s\" shouldn't be root", user);
+
+	dir = drop_priv_dir();
+	if (dir && (chroot(dir) || chdir("/")))
+		fatal("chroot to \"%s\" failed", dir);
+
+	if (setgid(pw->pw_gid) < 0)
+		fatal("setgid failed");
+
+	if (setreuid(pw->pw_uid, pw->pw_uid) < 0)
+		fatal("setreuid failed");
+
+	caps = cap_from_text("cap_net_raw=ep");
+	if (!caps)
+		fatal("cap_from_text failed");
+
+	if (cap_set_proc(caps) < 0)
+		fatal("cap_set_proc failed");
+
+	cap_free(caps);
+}
+
+#endif /* NMAP_USER */
diff -urpN nmap-4.20-autoheader/droppriv.h nmap-4.20/droppriv.h
--- nmap-4.20-autoheader/droppriv.h	1970-01-01 00:00:00 +0000
+++ nmap-4.20/droppriv.h	2007-10-07 11:39:28 +0000
@@ -0,0 +1,13 @@
+#ifndef NMAP_DROPPRIV_H__
+#define NMAP_DROPPRIV_H__
+
+extern const char *drop_priv_dir(void);
+extern void drop_priv(void);
+extern int nmap_services_init(void);
+extern int nmap_protocols_init(void);
+extern void rpc_services_init(void);
+extern void routethrough_init(void);
+extern void mac_prefix_init(void);
+extern void etchosts_init(void);
+
+#endif /* NMAP_DROPPRIV_H__ */
diff -urpN nmap-4.20-autoheader/nmap.cc nmap-4.20/nmap.cc
--- nmap-4.20-autoheader/nmap.cc	2006-10-14 06:03:54 +0000
+++ nmap-4.20/nmap.cc	2007-10-07 11:40:01 +0000
@@ -106,6 +106,7 @@
 #include "scan_engine.h"
 #include "idle_scan.h"
 #include "timing.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 #include "MACLookup.h"
 #include "nmap_tty.h"
@@ -1098,9 +1099,10 @@ int nmap_main(int argc, char *argv[]) {
   if (pre_host_timeout != -1) o.host_timeout = pre_host_timeout;
 
 
-  if (o.osscan == OS_SCAN_SYS_1_ONLY)
+  if (o.osscan == OS_SCAN_SYS_1_ONLY ||
+      (o.osscan != OS_SCAN_SYS_2_ONLY && drop_priv_dir()))
     o.reference_FPs1 = parse_fingerprint_reference_file("nmap-os-fingerprints");
-  else if (o.osscan == OS_SCAN_DEFAULT || o.osscan == OS_SCAN_SYS_2_ONLY)
+  if (o.osscan == OS_SCAN_DEFAULT || o.osscan == OS_SCAN_SYS_2_ONLY)
     o.reference_FPs = parse_fingerprint_reference_file("nmap-os-db");
 
   o.ValidateOptions();
@@ -1217,6 +1219,8 @@ int nmap_main(int argc, char *argv[]) {
       o.sendpref = PACKET_SEND_ETH_STRONG;
   }
 
+  drop_priv();
+
   if (!ports) {
     if (o.ipprotscan) {
       ports = getdefaultprots();
diff -urpN nmap-4.20-autoheader/nmap_dns.cc nmap-4.20/nmap_dns.cc
--- nmap-4.20-autoheader/nmap_dns.cc	2006-09-02 20:33:57 +0000
+++ nmap-4.20/nmap_dns.cc	2007-10-07 10:09:02 +0000
@@ -160,6 +160,7 @@
 #include <vector>
 
 #include "nmap.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 #include "nmap_dns.h"
 #include "nsock.h"
@@ -1016,7 +1017,7 @@ static char *lookup_etchosts(u32 ip) {
 }
 
 
-static void etchosts_init(void) {
+void etchosts_init(void) {
   static int initialized = 0;
   if (initialized) return;
   initialized = 1;
diff -urpN nmap-4.20-autoheader/nmap_rpc.cc nmap-4.20/nmap_rpc.cc
--- nmap-4.20-autoheader/nmap_rpc.cc	2006-08-25 01:47:59 +0000
+++ nmap-4.20/nmap_rpc.cc	2007-10-07 09:36:25 +0000
@@ -103,6 +103,7 @@
 
 
 #include "nmap_rpc.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 
 extern NmapOps o;
@@ -117,7 +118,7 @@ static unsigned long rpc_xid_base = (uns
 static size_t tcp_readlen=0; /* used in get_rpc_results but can be reset in 
 			    send_rpc_query */
 
-static void rpc_services_init() {
+void rpc_services_init() {
   static int services_initialized = 0;
   if (services_initialized) return;
   services_initialized = 1;
diff -urpN nmap-4.20-autoheader/protocols.cc nmap-4.20/protocols.cc
--- nmap-4.20-autoheader/protocols.cc	2006-09-05 08:39:45 +0000
+++ nmap-4.20/protocols.cc	2007-10-07 09:36:25 +0000
@@ -100,13 +100,14 @@
 /* $Id: protocols.cc 3943 2006-09-05 08:39:32Z fyodor $ */
 
 #include "protocols.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 
 extern NmapOps o;
 static int numipprots = 0;
 static struct protocol_list *protocol_table[PROTOCOL_TABLE_SIZE];
 
-static int nmap_protocols_init() {
+int nmap_protocols_init() {
   static int protocols_initialized = 0;
   if (protocols_initialized) return 0;
 
diff -urpN nmap-4.20-autoheader/services.cc nmap-4.20/services.cc
--- nmap-4.20-autoheader/services.cc	2006-08-25 01:47:59 +0000
+++ nmap-4.20/services.cc	2007-10-07 09:36:25 +0000
@@ -100,6 +100,7 @@
 /* $Id: services.cc 3869 2006-08-25 01:47:49Z fyodor $ */
 
 #include "services.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 
 extern NmapOps o;
@@ -107,7 +108,7 @@ static int numtcpports = 0;
 static int numudpports = 0;
 static struct service_list *service_table[SERVICE_TABLE_SIZE];
 
-static int nmap_services_init() {
+int nmap_services_init() {
   static int services_initialized = 0;
   if (services_initialized) return 0;
 
diff -urpN nmap-4.20-autoheader/tcpip.cc nmap-4.20/tcpip.cc
--- nmap-4.20-autoheader/tcpip.cc	2006-12-08 03:01:19 +0000
+++ nmap-4.20/tcpip.cc	2007-10-07 10:02:41 +0000
@@ -104,6 +104,7 @@
 #endif
 #include <dnet.h>
 #include "tcpip.h"
+#include "droppriv.h"
 #include "NmapOps.h"
 
 #if HAVE_SYS_TIME_H
@@ -2410,6 +2411,14 @@ void set_pcap_filter(const char *device,
   pcap_freecode(&fcode);
 }
 
+static FILE *routefp;
+
+void routethrough_init(void)
+{
+  if (!routefp)
+     routefp = fopen("/proc/net/route", "r");
+}
+
 /* The 'dev' passed in must be at least 32 bytes long */
 int ipaddr2devname( char *dev, const struct in_addr *addr ) {
 struct interface_info *mydevs;
@@ -2788,7 +2797,6 @@ struct sys_route *getsysroutes(int *howm
   int route_capacity = 128;
   static struct sys_route *routes = NULL;
   static int numroutes = 0;
-  FILE *routefp;
   char buf[1024];
   char iface[16];
   char *p, *endptr;
@@ -2805,7 +2813,7 @@ struct sys_route *getsysroutes(int *howm
     routes = (struct sys_route *) safe_zalloc(route_capacity * sizeof(struct sys_route));
     ifaces = getinterfaces(&numifaces);
     /* First let us try Linux-style /proc/net/route */
-    routefp = fopen("/proc/net/route", "r");
+    routethrough_init();
     if (routefp) {
       (void) fgets(buf, sizeof(buf), routefp); /* Kill the first line (column headers) */
       while(fgets(buf,sizeof(buf), routefp)) {
@@ -2888,6 +2896,8 @@ struct sys_route *getsysroutes(int *howm
 	  routes = (struct sys_route *) realloc(routes, route_capacity * sizeof(struct sys_route));
 	}
       }
+      fclose(routefp);
+      routefp = NULL;
     } else {
       struct dnet_collector_route_nfo dcrn;
       dcrn.routes = routes;
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin