diff options
| author | Otto Moerbeek <otto@cvs.openbsd.org> | 2005-09-23 15:42:52 +0000 |
|---|---|---|
| committer | Otto Moerbeek <otto@cvs.openbsd.org> | 2005-09-23 15:42:52 +0000 |
| commit | fe06cc838890b5c5a3ab2fb610974a8f4970d555 (patch) | |
| tree | 4e5a85f1722e90e53ef232c65e141987fdcfb879 | |
| parent | c6751ddd5011ec637da63d4bbf84bb1de1ed6567 (diff) | |
Only allow root to run tcpdump. It's needed for the chroot security.
ok moritz@ deraadt@
| -rw-r--r-- | usr.sbin/tcpdump/privsep.c | 54 |
1 files changed, 24 insertions, 30 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index ba885e10a1e..3eca83e5e11 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.21 2005/05/23 06:56:42 otto Exp $ */ +/* $OpenBSD: privsep.c,v 1.22 2005/09/23 15:42:51 otto Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -137,6 +137,9 @@ priv_init(int argc, char **argv) char *RFileName = NULL; char *WFileName = NULL; + if (geteuid() != 0) + errx(1, "need root privileges"); + closefrom(STDERR_FILENO + 1); for (i = 1; i < _NSIG; i++) signal(i, SIG_DFL); @@ -150,35 +153,26 @@ priv_init(int argc, char **argv) err(1, "fork() failed"); if (child_pid) { - if (getuid() == 0) { - /* Parent, drop privileges to _tcpdump */ - pw = getpwnam("_tcpdump"); - if (pw == NULL) - errx(1, "unknown user _tcpdump"); - - /* chroot, drop privs and return */ - if (chroot(pw->pw_dir) != 0) - err(1, "unable to chroot"); - if (chdir("/") != 0) - err(1, "unable to chdir"); - - /* drop to _tcpdump */ - if (setgroups(1, &pw->pw_gid) == -1) - err(1, "setgroups() failed"); - if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) - err(1, "setresgid() failed"); - if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) - err(1, "setresuid() failed"); - endpwent(); - } else { - /* Parent - drop suid privileges */ - gid = getgid(); - uid = getuid(); - if (setresgid(gid, gid, gid) == -1) - err(1, "setresgid() failed"); - if (setresuid(uid, uid, uid) == -1) - err(1, "setresuid() failed"); - } + /* Parent, drop privileges to _tcpdump */ + pw = getpwnam("_tcpdump"); + if (pw == NULL) + errx(1, "unknown user _tcpdump"); + + /* chroot, drop privs and return */ + if (chroot(pw->pw_dir) != 0) + err(1, "unable to chroot"); + if (chdir("/") != 0) + err(1, "unable to chdir"); + + /* drop to _tcpdump */ + if (setgroups(1, &pw->pw_gid) == -1) + err(1, "setgroups() failed"); + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) + err(1, "setresgid() failed"); + if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) + err(1, "setresuid() failed"); + endpwent(); + close(socks[0]); priv_fd = socks[1]; return (0); |