Add -u <username> flag for arpwatch, so it can drop privileges after
start. rcscript updated to drop privileges per default. Slightly modified patch taken from Debian/Ubuntu which originates from RedHat While there /var -> ${VARBASE} as suggested by ajacoutot. Finally looks fine to ajacoutot, and OK jasper@ (MAINTAINER)
This commit is contained in:
parent
09342a99a5
commit
2227964010
@ -1,9 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.49 2018/07/24 18:59:20 jasper Exp $
|
||||
# $OpenBSD: Makefile,v 1.50 2018/10/31 08:58:56 sebastia Exp $
|
||||
|
||||
COMMENT= monitor arp & rarp requests
|
||||
|
||||
DISTNAME= arpwatch-2.1a15
|
||||
REVISION= 18
|
||||
REVISION= 19
|
||||
CATEGORIES= net
|
||||
|
||||
MASTER_SITES= ftp://ftp.ee.lbl.gov/
|
||||
@ -16,7 +16,7 @@ PERMIT_PACKAGE_CDROM= Yes
|
||||
WANTLIB= c pcap
|
||||
|
||||
CONFIGURE_STYLE= gnu
|
||||
MAKE_FLAGS+= ARPDIR=/var/arpwatch
|
||||
MAKE_FLAGS+= ARPDIR=${VARBASE}/arpwatch
|
||||
|
||||
# this provides an up-to-date pregenerated ethercodes.dat file
|
||||
RUN_DEPENDS= net/arp-scan,-mac
|
||||
@ -24,6 +24,10 @@ RUN_DEPENDS= net/arp-scan,-mac
|
||||
NO_TEST= Yes
|
||||
|
||||
EXAMPLESDIR= ${PREFIX}/share/examples/arpwatch
|
||||
SUBST_VARS += VARBASE
|
||||
|
||||
pre-build:
|
||||
${SUBST_CMD} ${WRKSRC}/arpsnmp.8 ${WRKSRC}/arpwatch.8
|
||||
|
||||
do-install:
|
||||
@sed -i 's,awk -f ,awk -f ${EXAMPLESDIR}/', ${WRKSRC}/massagevendor
|
||||
|
@ -1,4 +1,4 @@
|
||||
$OpenBSD: patch-arpsnmp.8,v 1.2 2018/05/11 08:13:26 jasper Exp $
|
||||
$OpenBSD: patch-arpsnmp.8,v 1.3 2018/10/31 08:58:56 sebastia Exp $
|
||||
|
||||
Index: arpsnmp.8
|
||||
--- arpsnmp.8.orig
|
||||
@ -8,7 +8,7 @@ Index: arpsnmp.8
|
||||
.nh
|
||||
.nf
|
||||
-/usr/operator/arpwatch - default directory
|
||||
+/var/arpwatch - default directory
|
||||
+${VARBASE}/arpwatch - default directory
|
||||
arp.dat - ethernet/ip address database
|
||||
ethercodes.dat - vendor ethernet block list
|
||||
.ad
|
||||
|
@ -1,13 +1,45 @@
|
||||
$OpenBSD: patch-arpwatch.8,v 1.1 2001/06/01 23:36:32 jakob Exp $
|
||||
$OpenBSD: patch-arpwatch.8,v 1.2 2018/10/31 08:58:56 sebastia Exp $
|
||||
|
||||
--- arpwatch.8.orig Sat Jun 2 01:22:23 2001
|
||||
+++ arpwatch.8 Sat Jun 2 01:22:47 2001
|
||||
@@ -152,7 +152,7 @@ addresses was a DECnet address.
|
||||
Add -u flag, to drop privileges to that user given
|
||||
|
||||
Index: arpwatch.8
|
||||
--- arpwatch.8.orig
|
||||
+++ arpwatch.8
|
||||
@@ -43,6 +43,9 @@ arpwatch - keep track of ethernet/ip address pairings
|
||||
]] [
|
||||
.B -r
|
||||
.I file
|
||||
+] [
|
||||
+.B -u
|
||||
+.I username
|
||||
]
|
||||
.ad
|
||||
.SH DESCRIPTION
|
||||
@@ -94,6 +97,18 @@ of reading from the network. In this case,
|
||||
.B arpwatch
|
||||
does not fork.
|
||||
.LP
|
||||
+The
|
||||
+.B -u
|
||||
+flag instructs
|
||||
+.B arpwatch
|
||||
+to drop root privileges and change the UID to
|
||||
+.I username
|
||||
+and GID to the primary group of
|
||||
+.I username .
|
||||
+This is recommended for security reasons, but
|
||||
+.I username
|
||||
+has to have write access to the default directory.
|
||||
+.LP
|
||||
Note that an empty
|
||||
.I arp.dat
|
||||
file must be created before the first time you run
|
||||
@@ -152,7 +167,7 @@ addresses was a DECnet address.
|
||||
.na
|
||||
.nh
|
||||
.nf
|
||||
-/usr/operator/arpwatch - default directory
|
||||
+/var/arpwatch - default directory
|
||||
+${VARBASE}/arpwatch - default directory
|
||||
arp.dat - ethernet/ip address database
|
||||
ethercodes.dat - vendor ethernet block list
|
||||
.ad
|
||||
|
@ -1,12 +1,85 @@
|
||||
$OpenBSD: patch-arpwatch_c,v 1.1 2018/05/15 19:10:24 jasper Exp $
|
||||
$OpenBSD: patch-arpwatch_c,v 1.2 2018/10/31 08:58:56 sebastia Exp $
|
||||
|
||||
- Do not bail if the interface does not have an IP assigned.
|
||||
- time_t format string fixes
|
||||
- add -u flag, to drop privileges to that user
|
||||
|
||||
Index: arpwatch.c
|
||||
--- arpwatch.c.orig
|
||||
+++ arpwatch.c
|
||||
@@ -223,9 +223,11 @@ main(int argc, char **argv)
|
||||
@@ -63,6 +63,9 @@ struct rtentry;
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
+
|
||||
#include <pcap.h>
|
||||
|
||||
#include "gnuc.h"
|
||||
@@ -141,6 +144,24 @@ int sanity_ether(struct ether_header *, struct ether_a
|
||||
int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
|
||||
__dead void usage(void) __attribute__((volatile));
|
||||
|
||||
+void dropprivileges(const char* user)
|
||||
+{
|
||||
+ struct passwd* pw;
|
||||
+ pw = getpwnam( user );
|
||||
+ if ( pw ) {
|
||||
+ if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 ||
|
||||
+ setuid(pw->pw_uid) != 0 ) {
|
||||
+ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ }
|
||||
+ else {
|
||||
+ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ syslog(LOG_INFO, "Running as uid=%d gid=%d", getuid(), getgid());
|
||||
+}
|
||||
+
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
@@ -153,6 +174,7 @@ main(int argc, char **argv)
|
||||
register char *interface, *rfilename;
|
||||
struct bpf_program code;
|
||||
char errbuf[PCAP_ERRBUF_SIZE];
|
||||
+ char* username = NULL;
|
||||
|
||||
if (argv[0] == NULL)
|
||||
prog = "arpwatch";
|
||||
@@ -170,7 +192,7 @@ main(int argc, char **argv)
|
||||
interface = NULL;
|
||||
rfilename = NULL;
|
||||
pd = NULL;
|
||||
- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
|
||||
+ while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
|
||||
switch (op) {
|
||||
|
||||
case 'd':
|
||||
@@ -202,6 +224,19 @@ main(int argc, char **argv)
|
||||
rfilename = optarg;
|
||||
break;
|
||||
|
||||
+ case 'u':
|
||||
+ if ( optarg ) {
|
||||
+ username = strdup(optarg);
|
||||
+ if (username == NULL) {
|
||||
+ fprintf(stderr, "strdup -u username failed");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else {
|
||||
+ fprintf(stderr, "%s: Need username after -u\n", prog);
|
||||
+ usage();
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
default:
|
||||
usage();
|
||||
}
|
||||
@@ -223,9 +258,11 @@ main(int argc, char **argv)
|
||||
|
||||
/* Determine network and netmask */
|
||||
if (pcap_lookupnet(interface, &net, &netmask, errbuf) < 0) {
|
||||
@ -21,7 +94,26 @@ Index: arpwatch.c
|
||||
}
|
||||
|
||||
/* Drop into the background if not debugging */
|
||||
@@ -401,7 +403,7 @@ process_ether(register u_char *u, register const struc
|
||||
@@ -279,12 +316,16 @@ main(int argc, char **argv)
|
||||
#endif
|
||||
}
|
||||
|
||||
+ if ( username ) {
|
||||
+ dropprivileges( username );
|
||||
+ } else {
|
||||
/*
|
||||
* Revert to non-privileged user after opening sockets
|
||||
* (not needed on most systems).
|
||||
*/
|
||||
- setgid(getgid());
|
||||
- setuid(getuid());
|
||||
+ setgid(getgid());
|
||||
+ setuid(getuid());
|
||||
+ }
|
||||
|
||||
/* Must be ethernet or fddi */
|
||||
linktype = pcap_datalink(pd);
|
||||
@@ -401,7 +442,7 @@ process_ether(register u_char *u, register const struc
|
||||
t = h->ts.tv_sec;
|
||||
can_checkpoint = 0;
|
||||
if (!ent_add(sia, sea, t, NULL))
|
||||
@ -30,7 +122,7 @@ Index: arpwatch.c
|
||||
intoa(sia), e2str(sea), t);
|
||||
can_checkpoint = 1;
|
||||
}
|
||||
@@ -550,7 +552,7 @@ process_fddi(register u_char *u, register const struct
|
||||
@@ -550,7 +591,7 @@ process_fddi(register u_char *u, register const struct
|
||||
t = h->ts.tv_sec;
|
||||
can_checkpoint = 0;
|
||||
if (!ent_add(sia, sea, t, NULL))
|
||||
@ -39,3 +131,12 @@ Index: arpwatch.c
|
||||
intoa(sia), e2str(sea), t);
|
||||
can_checkpoint = 1;
|
||||
}
|
||||
@@ -750,7 +791,7 @@ usage(void)
|
||||
extern char version[];
|
||||
|
||||
(void)fprintf(stderr, "Version %s\n", version);
|
||||
- (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
|
||||
+ (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface] [-u username]"
|
||||
" [-n net[/width]] [-r file]\n", prog);
|
||||
exit(1);
|
||||
}
|
||||
|
@ -1,14 +1,20 @@
|
||||
@comment $OpenBSD: PLIST,v 1.11 2018/05/16 12:37:32 jasper Exp $
|
||||
@comment $OpenBSD: PLIST,v 1.12 2018/10/31 08:58:56 sebastia Exp $
|
||||
@newgroup _arpwatch:820
|
||||
@newuser _arpwatch:820:_arpwatch:daemon:arpwatch user:/nonexistent:/sbin/nologin
|
||||
@man man/man8/arpsnmp.8
|
||||
@man man/man8/arpwatch.8
|
||||
@bin sbin/arpsnmp
|
||||
@bin sbin/arpwatch
|
||||
@sample /var/arpwatch/
|
||||
@owner _arpwatch
|
||||
@sample ${VARBASE}/arpwatch/
|
||||
@owner
|
||||
share/examples/arpwatch/
|
||||
share/examples/arpwatch/arp.dat
|
||||
@mode 644
|
||||
@sample /var/arpwatch/arp.dat
|
||||
@owner _arpwatch
|
||||
@sample ${VARBASE}/arpwatch/arp.dat
|
||||
@mode
|
||||
@owner
|
||||
share/examples/arpwatch/arp2ethers
|
||||
share/examples/arpwatch/d.awk
|
||||
share/examples/arpwatch/duplicates.awk
|
||||
|
@ -1,8 +1,9 @@
|
||||
#!/bin/ksh
|
||||
#
|
||||
# $OpenBSD: arpwatch.rc,v 1.2 2018/01/11 19:27:04 rpe Exp $
|
||||
# $OpenBSD: arpwatch.rc,v 1.3 2018/10/31 08:58:56 sebastia Exp $
|
||||
|
||||
daemon="${TRUEPREFIX}/sbin/arpwatch"
|
||||
daemon_flags="-u _arpwatch"
|
||||
|
||||
. /etc/rc.d/rc.subr
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user