Re: udp packet storms

[maf () net ohio-state edu (Mark A. Fullmer)]

John Hawkinson writes:

> Egad, no! xinetd is HUGE, and is just way to big to run as root.

xinetd is nice, but it's very large, and has less functionality than 
tcp_wrappers.  Plus, there are bugs, one of which is a missing a initgroups()
which leaves you thinking a process that is running unpriviliged isn't.

Add vendors that ship with g+w directories...


xinetd.2.1.1 patchlevel 3:


*** child.c.old Mon Jul 25 21:02:03 1994
--- child.c     Mon Jul 25 21:02:53 1994
***************
*** 14,19 ****
--- 14,20 ----
  #include <netinet/in.h>
  #include <syslog.h>
  #include <errno.h>
+ #include <pwd.h>
  
  #include "str.h"
  #include "pset.h"
***************
*** 126,136 ****
--- 127,150 ----
                if ( ps.ros.is_superuser )
                {
                        int gid = sc_getgid( scp ) ;
+                       struct passwd *pwd ;
  
                        if ( setgid( gid ) == -1 )
                        {
                                msg( LOG_ERR, func, "setgid failed: %m" ) ;
                                _exit( 1 ) ;
+                       }
+ 
+                       if (! (pwd = getpwuid ( SC_UID( scp ) ) ) )
+                       {
+                               msg( LOG_ERR, func, "getpwuid failed: %m" ) ;
+                               _exit( 1 ) ;
+                       }
+ 
+                       if ( initgroups(pwd->pw_name, pwd->pw_gid) )
+                       {
+                               msg( LOG_ERR, func, "initgroups failed: %m" ) ;
+                               _exit( 1 ) ;
                        }
                }
                else


grep 'setuid' other things.  This error shows up in other software
too.

-- 
mark
maf+ () osu edu