Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation]

[Pekka Savola <pekkas () netcore fi>]

Thanks for your good analysis.. some thoughts inline..

On Thu, 26 Feb 2004, Andrew Pimlott wrote:
> - You use "getuid() == 0 || geteuid() == 0" to check whether droproot
>   will be called.  Currently, they are the same, because we call
>   setuid(getuid()).  So the code would be clearer if it just used
>   getuid().  

True, I just copied this, didn't bother changing it.

> Also, it is redundant to check uid before setting
>   chroot_dir, username, since it will be checked before they are used.

Yep.  I didn't bother changing them because this was more of a 
cleanup, but it's better to do it :)
 
> - It is really not much trouble to drop root in the setuid root case.
>   The appended patch does this.  Note that now, geteuid() is the
>   appropriate thing to check, above.

Hmm.. IMHO, the code gets a bit harder to follow: to trace whether it 
works fine you'll have to check a bunch of calls to check that all the 
seteuid()'s are really dropped properly .. this makes it harder to 
understand; that's why I have wanted to avoid this.

My argument is that setuid-tcpdump is already such a wacky corner case 
that adding code to deal with that isn't probably worth the effort. 
 
> - initgroups does not really work after chroot, because it needs to open
>   the groups file.  On my (Linux) system, it seems to fall-back to
>   setting only the give gid, however it might behave less gracefully on
>   other systems.  I think it is better to initgroups before chroot.

Good point.  Or simpler, just do 'setgroups(0, NULL)' instead of 
initgroups?  Not maybe pedantically 100% correct, but serves the 
purpose..

> Regarding the side-effects of droproot:
>
> - The -C problem argues, perhaps, for detecting when the protocol
>   analyzers will not be used, ie, when we are just dumping.  Does anyone
>   actually use this?

Dunno.  I think we should add a warning to be printed with -C if 
username/chroot will be done.
 
> - The resolver problem appears to be serious.  I doubt there is any
>   system that can do name resolution in a chroot, at least without
>   somehow preparing beforehand.  My system appears to fall back
>   gracefully to printing numbers, but I don't think this regression is
>   acceptible.  Is it possible that if you do a gethostbyaddr before the
>   chroot, it will read/open all necessary files, so that it will still
>   work after the chroot?  If this can't be made to work on all
>   platforms, an option not to chroot is required.

Hmm.. this should be looked at, I guess.  Remember though that 
gethostbyaddr is possibly not enough as one could look up IPv6 records 
too.  

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe