Re: OpenBSD work on Tcpdump privilege separation

[Pekka Savola <pekkas () netcore fi>]

On Tue, 24 Feb 2004, Andrew Pimlott wrote:
> This is complicated slightly by the setuid case, where need to drop the
> euid before opening any files.  Pekka simply calls setuid(getuid())
> (which permanently changes back to the running user) to achieve this.
> This means that we can not run droproot() in the setuid case.
> (Actually, Pekka's code tries to run droproot after having called
> setuid, fails, and exits.  For example, I compiled tcpdump
> --with-user=nobody, chmoded it setuid root, and ran it as myself:
>
>     % ./tcpdump.setuid 
>     Couldn't change to 'nobody' uid=65534 gid=65534
>
> )

Yep, setuid is possibly borked in a few corner cases -- I haven't
tested it.  I assume folks don't compile with --with-user when they
want to enable setuid (pretty seldom, I guess).  But with extra
checking, this might be avoidable.

My threat analysis is that dropping root and chrooting when tcpdump is 
run as setuid is not worth the trouble.  Switching to the getuid() is 
sufficient: you'll just hose the account you run tcpdump as, not root.

> In my patch, I tried to handle this by only dropping euid before opening
> files, so that we can later restore euid and do a full droproot(), which
> is (arguably) better than just dropping back to ruid.  

My argument against this is that even if you drop euid, if
compromised, the attacker can restore the privileges, so you aren't
adding much security, just more complexity.  I'd either drop the
privileges alltogether, or don't drop them at all.

> -/* Drop root privileges */
> +/* 
> + * Drop privileges.  Assumes we currently have euid 0.
> + * Parts cribbed from Wietse Venema's chrootuid.
> + */

IMHO, dropping root and chrooting should be two separate functions, as 
they serve two distinct purposes.

> +     if (mkdtemp(chrootdir) == NULL)
> +             error("couldn't create %s", chrootdir);
> +     if (chdir(chrootdir) != 0)
> +             error("couldn't chdir to %s", chrootdir);
> +     if (rmdir(chrootdir) != 0)
> +             error("couldn't remove %s", chrootdir);
> +     if (chroot(".") != 0)
> +             error("couldn't chroot");

you're rmdir'ing before chroot'ing ?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe