tcpdump mailing list archives
Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation]
From: Andrew Pimlott <andrew () pimlott net>
Date: Thu, 26 Feb 2004 15:05:50 -0500
On Thu, Feb 26, 2004 at 09:47:26PM +0200, Pekka Savola wrote:
On Thu, 26 Feb 2004, Andrew Pimlott wrote:- It is really not much trouble to drop root in the setuid root case. The appended patch does this. Note that now, geteuid() is the appropriate thing to check, above.Hmm.. IMHO, the code gets a bit harder to follow: to trace whether it works fine you'll have to check a bunch of calls to check that all the seteuid()'s are really dropped properly .. this makes it harder to understand; that's why I have wanted to avoid this.
True.
My argument is that setuid-tcpdump is already such a wacky corner case that adding code to deal with that isn't probably worth the effort.
I also tend to agree, but Jefferson had the opinion that it is kind to protect these wacky people as well. :-)
- initgroups does not really work after chroot, because it needs to open the groups file. On my (Linux) system, it seems to fall-back to setting only the give gid, however it might behave less gracefully on other systems. I think it is better to initgroups before chroot.Good point. Or simpler, just do 'setgroups(0, NULL)' instead of initgroups? Not maybe pedantically 100% correct, but serves the purpose..
I agree.
- The resolver problem appears to be serious. I doubt there is any system that can do name resolution in a chroot, at least without somehow preparing beforehand. My system appears to fall back gracefully to printing numbers, but I don't think this regression is acceptible. Is it possible that if you do a gethostbyaddr before the chroot, it will read/open all necessary files, so that it will still work after the chroot? If this can't be made to work on all platforms, an option not to chroot is required.Hmm.. this should be looked at, I guess. Remember though that gethostbyaddr is possibly not enough as one could look up IPv6 records too.
So the problem seems rather intractable. Unless someone comes up with a clever solution, I'm afraid that chrooting when the -n option is not specified (ie, when the user expects name resolution) will break users' expectations. That's a shame. Andrew - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: OpenBSD work on Tcpdump privilege separation, (continued)
- Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
- chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Jefferson Ogata (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Hannes Gredler (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 26)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
- Re: OpenBSD work on Tcpdump privilege separation Rodrigo Rubira Branco (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Rodrigo Rubira Branco (Feb 25)
- Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Pekka Savola (Feb 25)