summaryrefslogtreecommitdiff
path: root/usr.sbin/tcpdump
diff options
context:
space:
mode:
authorMoritz Jodeit <moritz@cvs.openbsd.org>2006-04-22 19:26:06 +0000
committerMoritz Jodeit <moritz@cvs.openbsd.org>2006-04-22 19:26:06 +0000
commit554254748ba070f7afb59034cc4a0eef2ac9879d (patch)
tree0bd8f020502762be1adecddf1df13cb3e5f4472a /usr.sbin/tcpdump
parent8c222593b60c6f9647300c1b42eac8c4406d8dfe (diff)
Set signal handlers directly after the fork(2), so that we avoid
situations, where the privileged child dies before the unprivileged parent has set a signal handler for SIGCHLD. ok deraadt@ canacar@
Diffstat (limited to 'usr.sbin/tcpdump')
-rw-r--r--usr.sbin/tcpdump/privsep.c14
-rw-r--r--usr.sbin/tcpdump/tcpdump.c25
2 files changed, 28 insertions, 11 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c
index 9f27b403c7f..275cc52a5b7 100644
--- a/usr.sbin/tcpdump/privsep.c
+++ b/usr.sbin/tcpdump/privsep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: privsep.c,v 1.24 2006/04/22 17:24:33 moritz Exp $ */
+/* $OpenBSD: privsep.c,v 1.25 2006/04/22 19:26:05 moritz Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar
@@ -107,6 +107,8 @@ int priv_fd = -1;
volatile pid_t child_pid = -1;
static volatile sig_atomic_t cur_state = STATE_INIT;
+extern void set_slave_signals(void);
+
static void impl_open_bpf(int, int *);
static void impl_open_dump(int, const char *);
static void impl_open_output(int, const char *);
@@ -134,6 +136,7 @@ priv_init(int argc, char **argv)
char *cmdbuf, *infile = NULL;
char *RFileName = NULL;
char *WFileName = NULL;
+ sigset_t allsigs, oset;
if (geteuid() != 0)
errx(1, "need root privileges");
@@ -146,6 +149,9 @@ priv_init(int argc, char **argv)
if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, socks) == -1)
err(1, "socketpair() failed");
+ sigfillset(&allsigs);
+ sigprocmask(SIG_BLOCK, &allsigs, &oset);
+
child_pid = fork();
if (child_pid < 0)
err(1, "fork() failed");
@@ -173,9 +179,15 @@ priv_init(int argc, char **argv)
close(socks[0]);
priv_fd = socks[1];
+
+ set_slave_signals();
+ sigprocmask(SIG_SETMASK, &oset, NULL);
+
return (0);
}
+ sigprocmask(SIG_SETMASK, &oset, NULL);
+
/* Child - drop suid privileges */
gid = getgid();
uid = getuid();
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c
index 06eb553be10..2a82c6329de 100644
--- a/usr.sbin/tcpdump/tcpdump.c
+++ b/usr.sbin/tcpdump/tcpdump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcpdump.c,v 1.53 2006/04/22 17:24:33 moritz Exp $ */
+/* $OpenBSD: tcpdump.c,v 1.54 2006/04/22 19:26:05 moritz Exp $ */
/*
* Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -26,7 +26,7 @@ static const char copyright[] =
"@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\
The Regents of the University of California. All rights reserved.\n";
static const char rcsid[] =
- "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.53 2006/04/22 17:24:33 moritz Exp $ (LBL)";
+ "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.54 2006/04/22 19:26:05 moritz Exp $ (LBL)";
#endif
/*
@@ -219,7 +219,6 @@ main(int argc, char **argv)
char ebuf[PCAP_ERRBUF_SIZE], *WFileName = NULL;
pcap_handler printer;
struct bpf_program *fcode;
- RETSIGTYPE (*oldhandler)(int);
u_char *pcap_userdata;
u_int dlt = (u_int) -1;
@@ -450,13 +449,6 @@ main(int argc, char **argv)
}
init_addrtoname(localnet, netmask);
- setsignal(SIGTERM, cleanup);
- setsignal(SIGINT, cleanup);
- setsignal(SIGCHLD, gotchld);
- /* Cooperate with nohup(1) XXX is this still necessary/working? */
- if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
- (void)setsignal(SIGHUP, oldhandler);
-
if (WFileName) {
pcap_dumper_t *p;
@@ -654,6 +646,19 @@ default_print(register const u_char *bp, register u_int length)
}
}
+void
+set_slave_signals(void)
+{
+ RETSIGTYPE (*oldhandler)(int);
+
+ setsignal(SIGTERM, cleanup);
+ setsignal(SIGINT, cleanup);
+ setsignal(SIGCHLD, gotchld);
+ /* Cooperate with nohup(1) XXX is this still necessary/working? */
+ if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
+ (void)setsignal(SIGHUP, oldhandler);
+}
+
__dead void
usage(void)
{