like ping, traceroute is a setuid root priv-drop which holds a sockraw.

we can tame it substantially with "stdio inet", plus "dns" if the -n option
is missing.  a successful exploit against it then cannot create files, or
perform a variety of other operations, as described in the tame(2) man page.

florian helped me a fair bit hoisting initization code upwards in ping,
ping6, and traceroute, to make tame work here.

1 files changed, 9 insertions, 1 deletions

diff --git a/usr.sbin/traceroute/traceroute.c b/usr.sbin/traceroute/traceroute.c
index 2e8ceda859c..b25984e8bf8 100644
--- a/usr.sbin/traceroute/traceroute.c
+++ b/usr.sbin/traceroute/traceroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: traceroute.c,v 1.141 2015/08/30 22:10:57 florian Exp $	*/
+/*	$OpenBSD: traceroute.c,v 1.142 2015/10/03 02:22:38 deraadt Exp $	*/
 /*	$NetBSD: traceroute.c,v 1.10 1995/05/21 15:50:45 mycroft Exp $	*/
 
 /*
@@ -844,6 +844,14 @@ main(int argc, char *argv[])
 	    sizeof(datalen)) < 0)
 		err(6, "SO_SNDBUF");
 
+	if (nflag) {
+		if (tame("stdio inet", NULL) == -1)
+			err(1, "tame");
+	} else {
+		if (tame("stdio inet dns", NULL) == -1)
+			err(1, "tame");
+	}
+
 	if (getnameinfo(to, to->sa_len, hbuf,
 	    sizeof(hbuf), NULL, 0, NI_NUMERICHOST))
 		strlcpy(hbuf, "(invalid)", sizeof(hbuf));