summaryrefslogtreecommitdiff
path: root/usr.sbin/traceroute
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-03 02:22:39 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-03 02:22:39 +0000
commite6ea2cae69090581e070a62722d2287a63708510 (patch)
tree8c6216af9d36cba93c5125c1a25eae3120006568 /usr.sbin/traceroute
parentefed3bc136ab175fcf7cfe61fd0b35383cfd0dcc (diff)
like ping, traceroute is a setuid root priv-drop which holds a sockraw.
we can tame it substantially with "stdio inet", plus "dns" if the -n option is missing. a successful exploit against it then cannot create files, or perform a variety of other operations, as described in the tame(2) man page. florian helped me a fair bit hoisting initization code upwards in ping, ping6, and traceroute, to make tame work here.
Diffstat (limited to 'usr.sbin/traceroute')
-rw-r--r--usr.sbin/traceroute/traceroute.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/traceroute/traceroute.c b/usr.sbin/traceroute/traceroute.c
index 2e8ceda859c..b25984e8bf8 100644
--- a/usr.sbin/traceroute/traceroute.c
+++ b/usr.sbin/traceroute/traceroute.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: traceroute.c,v 1.141 2015/08/30 22:10:57 florian Exp $ */
+/* $OpenBSD: traceroute.c,v 1.142 2015/10/03 02:22:38 deraadt Exp $ */
/* $NetBSD: traceroute.c,v 1.10 1995/05/21 15:50:45 mycroft Exp $ */
/*
@@ -844,6 +844,14 @@ main(int argc, char *argv[])
sizeof(datalen)) < 0)
err(6, "SO_SNDBUF");
+ if (nflag) {
+ if (tame("stdio inet", NULL) == -1)
+ err(1, "tame");
+ } else {
+ if (tame("stdio inet dns", NULL) == -1)
+ err(1, "tame");
+ }
+
if (getnameinfo(to, to->sa_len, hbuf,
sizeof(hbuf), NULL, 0, NI_NUMERICHOST))
strlcpy(hbuf, "(invalid)", sizeof(hbuf));