make net/iftop drop to unprivileged userid

Mon, 26 Jan 2009 15:01:53 -0800 

any comments on this? makes iftop drop to a new unprivileged
userid after grabbing the bpf. the code was basically borrowed
from dhclient.

I left the default login class in the @newuser line, I don't see
why this should have daemon's resource limits.
 

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/iftop/Makefile,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 Makefile
--- Makefile    4 Apr 2008 22:12:46 -0000       1.1.1.1
+++ Makefile    26 Jan 2009 22:50:50 -0000
@@ -3,6 +3,7 @@
 COMMENT =              display bandwidth usage on an inteface
 
 DISTNAME =             iftop-0.17
+PKGNAME =              ${DISTNAME}p0
 CATEGORIES =           net
 
 HOMEPAGE =             http://www.ex-parrot.com/~pdw/iftop/
Index: patches/patch-iptop.c
===================================================================
RCS file: /cvs/ports/net/iftop/patches/patch-iptop.c,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-iptop.c
--- patches/patch-iptop.c       4 Apr 2008 22:12:46 -0000       1.1.1.1
+++ patches/patch-iptop.c       26 Jan 2009 22:50:50 -0000
@@ -1,14 +1,29 @@
---- iftop.c.orig       Sun Dec 16 16:39:56 2007
-+++ iftop.c    Sun Dec 16 16:40:10 2007
-@@ -561,7 +561,6 @@
+--- iftop.c.orig       Thu Mar 31 13:08:05 2005
++++ iftop.c    Mon Jan 26 22:48:19 2009
+@@ -25,6 +25,8 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <pwd.h>
++#include <err.h>
+ 
+ #include "iftop.h"
+ #include "addr_hash.h"
+@@ -561,8 +563,12 @@ void packet_loop(void* ptr) {
   * Entry point. See usage(). */
  int main(int argc, char **argv) {
      pthread_t thread;
 -    struct sigaction sa = {};
++    struct passwd *pw;
  
++    if ((pw = getpwnam("_iftop")) == NULL) {
++        errx(1, "no such user: _iftop");
++    }
++
      /* TODO: tidy this up */
      /* read command line options and config file */   
-@@ -572,9 +571,6 @@
+     config_init();
+@@ -572,12 +578,16 @@ int main(int argc, char **argv) {
      read_config(options.config_file, options.config_file_specified);
      options_make();
      
@@ -18,3 +33,13 @@
      pthread_mutex_init(&tick_mutex, NULL);
  
      packet_init();
++
++    if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
++        err(1,"setresgid");
++    if (setgroups(1, &pw->pw_gid) == -1)
++        err(1,"setgroups");
++    if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
++        err(1,"setresuid");
+ 
+     init_history();
+ 
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/iftop/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST   4 Apr 2008 22:12:46 -0000       1.1.1.1
+++ pkg/PLIST   26 Jan 2009 22:50:50 -0000
@@ -1,3 +1,5 @@
 @comment $OpenBSD: PLIST,v 1.1.1.1 2008/04/04 22:12:46 sthen Exp $
+...@newgroup _iftop:615
+...@newuser _iftop:615:_iftop::iftop user:/nonexistent:/sbin/nologin
 bin/iftop
 @man man/man8/iftop.8

Reply via email to