[Nut-upsdev] Re: [nut-commits] svn commit r731
Peter Selinger
selinger at mathstat.dal.ca
Tue Jan 23 17:47:38 CET 2007
Henning Brauer wrote:
>
> * Arjen de Korte <nut+devel at de-korte.org> [2007-01-23 12:58]:
> >
> > >> The listen_add() function doesn't need root access, so this shouldn't be
> > >> a problem. Provided the listening socket is above 1023, setuptcp()
> > >> doesn't need root access either.
> > >
> > > of course
> > >
> > >> However I don't want to limit ourselves here
> > >> (there may be people wanting to setup a low port), so I want to setup
> > >> the server listening sockets as root at least at startup of upsd.
> > >
> > > that is a really bad idea.
> >
> > Maybe it is, but it is what we have been doing for years. I don't want to
> > change this without fully understanding (and documenting) the changes and
> > the impact this may have on system administrators.
>
> well, let me make it more clear: it is outright dangerous.
Please elaborate? There are lots of suid programs that open a socket
and then drop root privileges immediately. For example, ping(8) does
this, as does ping6(8). Here is the code from ping:
int
main(int argc, char **argv)
{
struct hostent *hp;
int ch, hold, packlen;
int socket_errno;
u_char *packet;
char *target, hnamebuf[MAXHOSTNAMELEN];
char rspace[3 + 4 * NROUTES + 1]; /* record route space
*/
icmp_sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
socket_errno = errno;
uid = getuid();
setuid(uid);
As you can see, the first thing it does is open a socket, and then
drops root immeditately. In this case, since it is a setuid program,
getuid() will return the user who ran the program, whereas geteuid()
would return root. The code for ping6(8) is almost identical.
Why is this supposed to be unsafe?
-- Peter
More information about the Nut-upsdev
mailing list