On Mon, Oct 29, 2018 at 04:43:02PM +0100, Sebastian Reitenbach wrote: > Hi, > > Am Montag, Oktober 29, 2018 15:26 CET, Antoine Jacoutot > <ajacou...@bsdfrog.org> schrieb: > > > On Mon, Oct 29, 2018 at 02:58:11PM +0100, Sebastian Reitenbach wrote: > > > Hi, > > > > > > attached patch updates arpwatch to add -u <username> flag, to drop > > > privileges > > > to non-privileged user after startup. Patch taken from Debian/Ubuntu, > > > which > > > originates from RedHat. user/group _arpwatch added to PLIST, > > > and a user to be added to users.list > > > > > > rc script is updated to add -u _arpwatch user to to the daemon. > > > manpage. > > > > > > any comments, objections, or even OK? > > > > > > cheers, > > > Sebastian > > > > > > > @mode 644 > > > +@owner _arpwatch > > > @sample /var/arpwatch/arp.dat > > > > By doing this, you change the ownership of all following files in the PLIST > > to _arpwatch. > > I don't think this is what you intended :-) > > > > indeed stupid and not intended ;) > > updated patch below. > > Sebastian > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/arpwatch/Makefile,v > retrieving revision 1.49 > diff -u -r1.49 Makefile > --- Makefile 24 Jul 2018 18:59:20 -0000 1.49 > +++ Makefile 29 Oct 2018 15:40:13 -0000 > @@ -3,7 +3,7 @@ > COMMENT= monitor arp & rarp requests > > DISTNAME= arpwatch-2.1a15 > -REVISION= 18 > +REVISION= 19 > CATEGORIES= net > > MASTER_SITES= ftp://ftp.ee.lbl.gov/ > Index: patches/patch-arpwatch.8 > =================================================================== > RCS file: /cvs/ports/net/arpwatch/patches/patch-arpwatch.8,v > retrieving revision 1.1 > diff -u -r1.1 patch-arpwatch.8 > --- patches/patch-arpwatch.8 1 Jun 2001 23:36:32 -0000 1.1 > +++ patches/patch-arpwatch.8 29 Oct 2018 15:40:13 -0000 > @@ -1,8 +1,40 @@ > $OpenBSD: patch-arpwatch.8,v 1.1 2001/06/01 23:36:32 jakob Exp $ > > ---- arpwatch.8.orig Sat Jun 2 01:22:23 2001 > -+++ arpwatch.8 Sat Jun 2 01:22:47 2001 > -@@ -152,7 +152,7 @@ addresses was a DECnet address. > +Add -u flag, to drop privileges to that user given > + > +Index: arpwatch.8 > +--- arpwatch.8.orig > ++++ arpwatch.8 > +@@ -43,6 +43,9 @@ arpwatch - keep track of ethernet/ip address pairings > + ]] [ > + .B -r > + .I file > ++] [ > ++.B -u > ++.I username > + ] > + .ad > + .SH DESCRIPTION > +@@ -94,6 +97,18 @@ of reading from the network. In this case, > + .B arpwatch > + does not fork. > + .LP > ++The > ++.B -u > ++flag instructs > ++.B arpwatch > ++to drop root privileges and change the UID to > ++.I username > ++and GID to the primary group of > ++.I username . > ++This is recommended for security reasons, but > ++.I username > ++has to have write access to the default directory. > ++.LP > + Note that an empty > + .I arp.dat > + file must be created before the first time you run > +@@ -152,7 +167,7 @@ addresses was a DECnet address. > .na > .nh > .nf > Index: patches/patch-arpwatch_c > =================================================================== > RCS file: /cvs/ports/net/arpwatch/patches/patch-arpwatch_c,v > retrieving revision 1.1 > diff -u -r1.1 patch-arpwatch_c > --- patches/patch-arpwatch_c 15 May 2018 19:10:24 -0000 1.1 > +++ patches/patch-arpwatch_c 29 Oct 2018 15:40:13 -0000 > @@ -2,11 +2,80 @@ > > - Do not bail if the interface does not have an IP assigned. > - time_t format string fixes > +- add -u flag, to drop privileges to that user > > Index: arpwatch.c > --- arpwatch.c.orig > +++ arpwatch.c > -@@ -223,9 +223,11 @@ main(int argc, char **argv) > +@@ -63,6 +63,9 @@ struct rtentry; > + #include <syslog.h> > + #include <unistd.h> > + > ++#include <pwd.h> > ++#include <grp.h> > ++ > + #include <pcap.h> > + > + #include "gnuc.h" > +@@ -141,6 +144,24 @@ int sanity_ether(struct ether_header *, struct > ether_a > + int sanity_fddi(struct fddi_header *, struct ether_arp *, int); > + __dead void usage(void) __attribute__((volatile)); > + > ++void dropprivileges(const char* user) > ++{ > ++ struct passwd* pw; > ++ pw = getpwnam( user ); > ++ if ( pw ) { > ++ if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || > setgid(pw->pw_gid) != 0 || > ++ setuid(pw->pw_uid) != 0 ) { > ++ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d > gid=%d", user,pw->pw_uid, pw->pw_gid); > ++ exit(1); > ++ } > ++ } > ++ else { > ++ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", > user); > ++ exit(1); > ++ } > ++ syslog(LOG_INFO, "Running as uid=%d gid=%d", getuid(), getgid()); > ++} > ++ > + int > + main(int argc, char **argv) > + { > +@@ -153,6 +174,7 @@ main(int argc, char **argv) > + register char *interface, *rfilename; > + struct bpf_program code; > + char errbuf[PCAP_ERRBUF_SIZE]; > ++ char* username = NULL; > + > + if (argv[0] == NULL) > + prog = "arpwatch"; > +@@ -170,7 +192,7 @@ main(int argc, char **argv) > + interface = NULL; > + rfilename = NULL; > + pd = NULL; > +- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF) > ++ while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF) > + switch (op) { > + > + case 'd': > +@@ -202,6 +224,15 @@ main(int argc, char **argv) > + rfilename = optarg; > + break; > + > ++ case 'u': > ++ if ( optarg ) { > ++ username = strdup(optarg); > ++ } else { > ++ fprintf(stderr, "%s: Need username after -u\n", > prog); > ++ usage(); > ++ } > ++ break; > ++ > + default: > + usage(); > + } > +@@ -223,9 +254,11 @@ main(int argc, char **argv) > > /* Determine network and netmask */ > if (pcap_lookupnet(interface, &net, &netmask, errbuf) < 0) { > @@ -21,7 +90,26 @@ > } > > /* Drop into the background if not debugging */ > -@@ -401,7 +403,7 @@ process_ether(register u_char *u, register const struc > +@@ -279,12 +312,16 @@ main(int argc, char **argv) > + #endif > + } > + > ++ if ( username ) { > ++ dropprivileges( username ); > ++ } else { > + /* > + * Revert to non-privileged user after opening sockets > + * (not needed on most systems). > + */ > +- setgid(getgid()); > +- setuid(getuid()); > ++ setgid(getgid()); > ++ setuid(getuid()); > ++ } > + > + /* Must be ethernet or fddi */ > + linktype = pcap_datalink(pd); > +@@ -401,7 +438,7 @@ process_ether(register u_char *u, register const struc > t = h->ts.tv_sec; > can_checkpoint = 0; > if (!ent_add(sia, sea, t, NULL)) > @@ -30,7 +118,7 @@ > intoa(sia), e2str(sea), t); > can_checkpoint = 1; > } > -@@ -550,7 +552,7 @@ process_fddi(register u_char *u, register const struct > +@@ -550,7 +587,7 @@ process_fddi(register u_char *u, register const struct > t = h->ts.tv_sec; > can_checkpoint = 0; > if (!ent_add(sia, sea, t, NULL)) > @@ -38,4 +126,13 @@ > + syslog(LOG_ERR, "ent_add(%s, %s, %lld) failed", > intoa(sia), e2str(sea), t); > can_checkpoint = 1; > + } > +@@ -750,7 +787,7 @@ usage(void) > + extern char version[]; > + > + (void)fprintf(stderr, "Version %s\n", version); > +- (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]" > ++ (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface] [-u > username]" > + " [-n net[/width]] [-r file]\n", prog); > + exit(1); > } > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/arpwatch/pkg/PLIST,v > retrieving revision 1.11 > diff -u -r1.11 PLIST > --- pkg/PLIST 16 May 2018 12:37:32 -0000 1.11 > +++ pkg/PLIST 29 Oct 2018 15:40:13 -0000 > @@ -1,4 +1,6 @@ > @comment $OpenBSD: PLIST,v 1.11 2018/05/16 12:37:32 jasper Exp $ > +@newgroup _arpwatch:820 > +@newuser _arpwatch:820:_arpwatch:daemon:arpwatch > user:/nonexistent:/sbin/nologin > @man man/man8/arpsnmp.8 > @man man/man8/arpwatch.8 > @bin sbin/arpsnmp > @@ -7,8 +9,10 @@ > share/examples/arpwatch/ > share/examples/arpwatch/arp.dat > @mode 644 > +@owner _arpwatch > @sample /var/arpwatch/arp.dat > @mode > +@owner > share/examples/arpwatch/arp2ethers > share/examples/arpwatch/d.awk > share/examples/arpwatch/duplicates.awk > Index: pkg/arpwatch.rc > =================================================================== > RCS file: /cvs/ports/net/arpwatch/pkg/arpwatch.rc,v > retrieving revision 1.2 > diff -u -r1.2 arpwatch.rc > --- pkg/arpwatch.rc 11 Jan 2018 19:27:04 -0000 1.2 > +++ pkg/arpwatch.rc 29 Oct 2018 15:40:13 -0000 > @@ -2,7 +2,7 @@ > # > # $OpenBSD: arpwatch.rc,v 1.2 2018/01/11 19:27:04 rpe Exp $ > > -daemon="${TRUEPREFIX}/sbin/arpwatch" > +daemon="${TRUEPREFIX}/sbin/arpwatch -u _arpwatch"
As I mentioned in my former mail, please put this in daemon_flags. > > . /etc/rc.d/rc.subr > -- Antoine
