|
version 1.1.1.1, 2013/07/21 23:43:42
|
version 1.1.1.2, 2016/11/01 09:33:48
|
|
Line 7 minimal.
|
Line 7 minimal.
|
| Or you can make mtr setuid-root, and the following applies to you.... |
Or you can make mtr setuid-root, and the following applies to you.... |
| |
|
| Since mtr is installed as suid-root, some concern over security is |
Since mtr is installed as suid-root, some concern over security is |
| justified. Since version 0.21 of mtr, does the following two things | justified. Since version 0.21, mtr does the following two things |
| after it is launched: |
after it is launched: |
| |
|
| * mtr requests a pair of raw sockets from the kernel. |
* mtr requests a pair of raw sockets from the kernel. |
| * mtr sets the effective uid to match the real uid. | * mtr drops root privileges by setting the effective uid to match |
| | uid or the user calling mtr. |
| |
|
| See main() in mtr.c and net_preopen() in net.c for the details of this |
See main() in mtr.c and net_preopen() in net.c for the details of this |
| process. Note that no code from GTK+ or curses is executed before the | process. Note that no code from GTK+ or curses is executed before |
| drop in permissions. | dropping root privileges. |
| |
|
| This should severely limit the possibilities of using mtr to breach |
This should severely limit the possibilities of using mtr to breach |
| system security. This means the worst case scenerio is as follows: |
system security. This means the worst case scenerio is as follows: |
|
Line 24 Due to some oversight in the mtr code, a malicious use
|
Line 25 Due to some oversight in the mtr code, a malicious use
|
| overrun one of mtr's internal buffers with binary code that is |
overrun one of mtr's internal buffers with binary code that is |
| eventually executed. The malicious user is still not able to read |
eventually executed. The malicious user is still not able to read |
| from or write to any system files which they wouldn't normally have |
from or write to any system files which they wouldn't normally have |
| permission to write to. The only priveledge gained is access to the | permission to read or write to, repectively. The only privilege |
| raw socket descriptors, which would allow the malicious user to listen | gained is access to the raw socket descriptors, which would allow |
| to all ICMP packets arriving at the system, and send forged packets | the malicious user to listen to all ICMP packets arriving at the |
| with arbitrary contents. | system, and to send forged packets with arbitrary contents. |
| |
|
| The mtr-code does its best to prevent calling of external library |
The mtr-code does its best to prevent calling of external library |
| code before dropping privileges. It seems that C++ library code has |
code before dropping privileges. It seems that C++ library code has |
|
Line 36 loader/linker. That would mean that we're still vulne
|
Line 37 loader/linker. That would mean that we're still vulne
|
| errors in that code. This is why I would prefer to drop the backends, |
errors in that code. This is why I would prefer to drop the backends, |
| have mtr-core always run in "raw" mode, and have the backends interpret |
have mtr-core always run in "raw" mode, and have the backends interpret |
| the output from the mtr-core. Maybe a nice project for a college-level |
the output from the mtr-core. Maybe a nice project for a college-level |
| student. | student. |
| |
|
| If you have further questions or comments about security issues, |
If you have further questions or comments about security issues, |
| please direct them to the mtr mailing list. See README for details. |
please direct them to the mtr mailing list. See README for details. |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to SECURITY CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mtr