Re: mtr 0.45, 0.46

[Matt Zimmerman <mdz () debian org>]

On Wed, Mar 06, 2002 at 06:53:31PM +0100, Rogier Wolff wrote:

> The mtr distribution doesn't install mtr setuid. Now, I must confess that
> I do it myself too. But I know the risks I'm taking (none: All people who
> have access to the setuid binary also have the root password).

Of course, this doesn't entirely eliminate the risk of installing mtr
setuid.  It is not an uncommon situation for an attacker to gain access to
the account of one of these trusted users without gaining immediate access
to their knowledge (the root password).

Have you considered moving the raw socket functionality to a small,
auditable, setuid helper program?  mtr itself could communicate with the
helper via a simple protocol over a pipe, and that would avoid the problem
of security bugs in the UI libraries.  If the helper only allows the minimum
functionality necessary for mtr to work (send/receive ICMP
ECHO_REQUEST/ECHO_RESPONSE with a local source address?), you could
successfully restrict the damage that could be done if the communication
channel were compromised.

-- 
 - mdz