Re: honeyd on Solaris 9

[Tobias Hahn <tobi_wan () gmx de>]

Hi,

I think I found the reason why honeyd won't start: I used "truss
honeyd..." (truss is like strace for Solaris) and it showed me that an
EACCES error occurs when the child process tries to access the /dev/poll
file descriptor which it inherited from its parent. Error message:

PID
8682:    open("/dev/poll", O_RDWR)            = 3
...
8683:    pwrite(3, 0x000D89F0, 16, 0)            Err#13 EACCES
8683:      \0\0\00F\001\0\0\0\0\005\001\0\0
8683:    ioctl(3, DP_POLL, 0xFFBFF548)            Err#13 EACCES
... 
8683:       i o c t l :   D P _ P O L L :   P e r m i s s i o n   d e n i e
8683:       d
8683:    write(2, "\n", 1)                = 1
8683:    _exit(0)
8682:    _exit(0)

Searching for a solution to this problem I found this (from
http://sundocs.princeton.edu:8888/ab2/coll.40.6/REFMAN7/@Ab2PageView/57113):

But the child process will have very limited access through this
inherited /dev/poll file descriptor. Any attempt to write or do ioctl by
the child process will result in an EACCES error.


Has anybody here ever got honeyd to work on a solaris machine?

Tobias


gangadhar npk schrieb:

> Just a thought.
> To confirm that libdnet might be causing problem, can you please try with writing a simple test case using libdnet 
> which does an intf_open() on any of the interfaces.
> I don't have access to a solaris box currently, but I will also try it. Do share your results.
> Best regards
> Gangadhar
>
> -----Original Message-----
> From: Tobias Hahn <tobi_wan () gmx de>
> To: honeypots () securityfocus com
> Date: Fri, 01 Jul 2005 08:28:33 +0200
> Subject: honeyd on Solaris 9
>
> Hi,
>
> I started debugging honeyd wit gdb and I think I found at least one
> reason why it's not working like I want it to. I compared the Solaris
> debugging output with the Suse 9.2 debugging output and this is what I got:
>
> ===SuseLinux9.2=========>>>>=========================
> 3106            interface_initialize(honeyd_recv_cb);
> (gdb) step
> interface_initialize (cb=0x81a64c0) at interface.c:83
> 83              TAILQ_INIT(&interfaces);
> (gdb)
> 85              if ((intf = intf_open()) == NULL)
> (gdb)
> intf_open () at intf.c:123
> 123             if ((intf = calloc(1, sizeof(*intf))) != NULL) {
> (gdb)
> 124                     intf->fd = intf->fd6 = -1;
> (gdb)
> 126                     if ((intf->fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
> (gdb)
> 137             return (intf);
> ========================<<<<=========================
>
>
>
> ===Solaris9=============>>>>=========================
> 3109            interface_initialize(honeyd_recv_cb);
> (gdb)
> interface_initialize (cb=0x1ef8c <honeyd_recv_cb>) at interface.c:83
> 83              TAILQ_INIT(&interfaces);
> (gdb)
> 85              if ((intf = intf_open()) == NULL)
> (gdb)
> 86                      err(1, "intf_open");
> (gdb)
> 85              if ((intf = intf_open()) == NULL)
> (gdb)
> 88              if_recv_cb = cb;
> (gdb)
> ========================<<<<=========================
>
> It seems to me that on Solaris there is a problem with opening the
> interface. intf_open() belongs to intf.c, which is one of the libdnet
> files.
>
> honeyd always ends just after
>
> 3205:fprintf(stderr, "Honeyd starting as background process\n");
> 3206:    if (daemon(1, 0) < 0) {
> 3207:        unlink(PIDFILE);
> 3208:        err(1, "daemon");
> 3209:    }
>
> line 3206 is the last one the gdb shows.
>
> I would really appreciate if somebody could help me with any of this.
>
> Thanks in advance,
>     Tobias
>
>
>
>
>
>
>
>
>