embedaddon/mtr/SECURITY - annotate

Return to SECURITY CVS log
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mtr
Annotation of embedaddon/mtr/SECURITY, revision 1.1

1.1     ! misho       1: SECURITY ISSUES RELATED TO MTR
        !             2: 
        !             3: You can limit mtr usage to the root user by not putting a setuid bit
        !             4: on the mtr binary. In that case, the security implications are
        !             5: minimal. 
        !             6: 
        !             7: Or you can make mtr setuid-root, and the following applies to you....
        !             8: 
        !             9: Since mtr is installed as suid-root, some concern over security is
        !            10: justified.  Since version 0.21 of mtr, does the following two things
        !            11: after it is launched:
        !            12: 
        !            13: *  mtr requests a pair of raw sockets from the kernel.  
        !            14: *  mtr sets the effective uid to match the real uid.
        !            15: 
        !            16: See main() in mtr.c and net_preopen() in net.c for the details of this
        !            17: process.  Note that no code from GTK+ or curses is executed before the
        !            18: drop in permissions.
        !            19: 
        !            20: This should severely limit the possibilities of using mtr to breach
        !            21: system security.  This means the worst case scenerio is as follows:
        !            22: 
        !            23: Due to some oversight in the mtr code, a malicious user is able to
        !            24: overrun one of mtr's internal buffers with binary code that is
        !            25: eventually executed.  The malicious user is still not able to read
        !            26: from or write to any system files which they wouldn't normally have
        !            27: permission to write to.  The only priveledge gained is access to the
        !            28: raw socket descriptors, which would allow the malicious user to listen
        !            29: to all ICMP packets arriving at the system, and send forged packets
        !            30: with arbitrary contents.
        !            31: 
        !            32: The mtr-code does its best to prevent calling of external library
        !            33: code before dropping privileges. It seems that C++ library code has 
        !            34: the ability to issue a "please execute me before calling main" to the
        !            35: loader/linker.  That would mean that we're still vulnerable to 
        !            36: errors in that code. This is why I would prefer to drop the backends, 
        !            37: have mtr-core always run in "raw" mode, and have the backends interpret
        !            38: the output from the mtr-core. Maybe a nice project for a college-level
        !            39: student. 
        !            40: 
        !            41: If you have further questions or comments about security issues,
        !            42: please direct them to the mtr mailing list.  See README for details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>