tcpdump mailing list archives

Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation]

From: Andrew Pimlott <andrew () pimlott net>
Date: Thu, 26 Feb 2004 15:05:50 -0500

On Thu, Feb 26, 2004 at 09:47:26PM +0200, Pekka Savola wrote:


On Thu, 26 Feb 2004, Andrew Pimlott wrote:

- It is really not much trouble to drop root in the setuid root case.
  The appended patch does this.  Note that now, geteuid() is the
  appropriate thing to check, above.


Hmm.. IMHO, the code gets a bit harder to follow: to trace whether it 
works fine you'll have to check a bunch of calls to check that all the 
seteuid()'s are really dropped properly .. this makes it harder to 
understand; that's why I have wanted to avoid this.


True.

My argument is that setuid-tcpdump is already such a wacky corner case 
that adding code to deal with that isn't probably worth the effort.


I also tend to agree, but Jefferson had the opinion that it is kind to
protect these wacky people as well.  :-)

- initgroups does not really work after chroot, because it needs to open
  the groups file.  On my (Linux) system, it seems to fall-back to
  setting only the give gid, however it might behave less gracefully on
  other systems.  I think it is better to initgroups before chroot.


Good point.  Or simpler, just do 'setgroups(0, NULL)' instead of 
initgroups?  Not maybe pedantically 100% correct, but serves the 
purpose..


I agree.

- The resolver problem appears to be serious.  I doubt there is any
  system that can do name resolution in a chroot, at least without
  somehow preparing beforehand.  My system appears to fall back
  gracefully to printing numbers, but I don't think this regression is
  acceptible.  Is it possible that if you do a gethostbyaddr before the
  chroot, it will read/open all necessary files, so that it will still
  work after the chroot?  If this can't be made to work on all
  platforms, an option not to chroot is required.


Hmm.. this should be looked at, I guess.  Remember though that 
gethostbyaddr is possibly not enough as one could look up IPv6 records 
too.


So the problem seems rather intractable.  Unless someone comes up with a
clever solution, I'm afraid that chrooting when the -n option is not
specified (ie, when the user expects name resolution) will break users'
expectations.  That's a shame.

Andrew
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Re: OpenBSD work on Tcpdump privilege separation, (continued)
- - - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
    - chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Jefferson Ogata (Feb 25)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Hannes Gredler (Feb 25)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 26)
    - Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Andrew Pimlott (Feb 26)
    - Re: OpenBSD work on Tcpdump privilege separation Rodrigo Rubira Branco (Feb 25)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 25)
    - Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Rodrigo Rubira Branco (Feb 25)
    - Re: OpenBSD work on Tcpdump privilege separation - OFFTOPIC Pekka Savola (Feb 25)