Annotation of embedaddon/mtr/SECURITY, revision 1.1.1.2
1.1 misho 1: SECURITY ISSUES RELATED TO MTR
2:
3: You can limit mtr usage to the root user by not putting a setuid bit
4: on the mtr binary. In that case, the security implications are
5: minimal.
6:
7: Or you can make mtr setuid-root, and the following applies to you....
8:
9: Since mtr is installed as suid-root, some concern over security is
1.1.1.2 ! misho 10: justified. Since version 0.21, mtr does the following two things
1.1 misho 11: after it is launched:
12:
13: * mtr requests a pair of raw sockets from the kernel.
1.1.1.2 ! misho 14: * mtr drops root privileges by setting the effective uid to match
! 15: uid or the user calling mtr.
1.1 misho 16:
17: See main() in mtr.c and net_preopen() in net.c for the details of this
1.1.1.2 ! misho 18: process. Note that no code from GTK+ or curses is executed before
! 19: dropping root privileges.
1.1 misho 20:
21: This should severely limit the possibilities of using mtr to breach
22: system security. This means the worst case scenerio is as follows:
23:
24: Due to some oversight in the mtr code, a malicious user is able to
25: overrun one of mtr's internal buffers with binary code that is
26: eventually executed. The malicious user is still not able to read
27: from or write to any system files which they wouldn't normally have
1.1.1.2 ! misho 28: permission to read or write to, repectively. The only privilege
! 29: gained is access to the raw socket descriptors, which would allow
! 30: the malicious user to listen to all ICMP packets arriving at the
! 31: system, and to send forged packets with arbitrary contents.
1.1 misho 32:
33: The mtr-code does its best to prevent calling of external library
34: code before dropping privileges. It seems that C++ library code has
35: the ability to issue a "please execute me before calling main" to the
36: loader/linker. That would mean that we're still vulnerable to
37: errors in that code. This is why I would prefer to drop the backends,
38: have mtr-core always run in "raw" mode, and have the backends interpret
39: the output from the mtr-core. Maybe a nice project for a college-level
1.1.1.2 ! misho 40: student.
1.1 misho 41:
42: If you have further questions or comments about security issues,
43: please direct them to the mtr mailing list. See README for details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to SECURITY CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mtr