On Tue, Oct 30, 2018 at 02:02:18PM +0100, Sebastian Reitenbach wrote:
> Hi,
>
> Am Dienstag, Oktober 30, 2018 08:58 CET, Antoine Jacoutot
> <ajacou...@bsdfrog.org> schrieb:
>
> > > > > > On Mon, Oct 29, 2018 at 02:58:11PM +0100, Sebastian Reitenbach
> > > > > > wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > attached patch updates arpwatch to add -u <username> flag, to
> > > > > > > drop privileges
> > > > > > > to non-privileged user after startup. Patch taken from
> > > > > > > Debian/Ubuntu, which
> > > > > > > originates from RedHat. user/group _arpwatch added to PLIST,
> > > > > > > and a user to be added to users.list
> > > > > > >
> > > > > > > rc script is updated to add -u _arpwatch user to to the daemon.
> > > > > > > manpage.
> > > > > > >
> > > > > > > any comments, objections, or even OK?
> > > > > > >
> > >
> > > > > -daemon="${TRUEPREFIX}/sbin/arpwatch"
> > > > > +daemon="${TRUEPREFIX}/sbin/arpwatch -u _arpwatch"
> > > >
> > > > As I mentioned in my former mail, please put this in daemon_flags.
> > > >
> > >
> > > Do, I overlooked that comment. Meanwhile I also recognized, arpwatch has
> > > to
> > > be able to write to /var/arpwatch, not only to the arp.dat file in there,
> > > it seems
> > > to create some temporary files there as well. So also for the @sample
> > > /var/arpwatch
> > > change @user
> > > Updated diff with these two additional changes below.
> >
> > I think you should s/var/${VARBASE}/
> >
> that I haven't left alone as it was before, but here you go, also had to
> update Makefile and
> two of the patches with ${VARBASE}
Looks fine to me :-)
Thanks.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/Makefile,v
> retrieving revision 1.49
> diff -u -r1.49 Makefile
> --- Makefile 24 Jul 2018 18:59:20 -0000 1.49
> +++ Makefile 30 Oct 2018 12:57:00 -0000
> @@ -3,7 +3,7 @@
> COMMENT= monitor arp & rarp requests
>
> DISTNAME= arpwatch-2.1a15
> -REVISION= 18
> +REVISION= 19
> CATEGORIES= net
>
> MASTER_SITES= ftp://ftp.ee.lbl.gov/
> @@ -16,7 +16,7 @@
> WANTLIB= c pcap
>
> CONFIGURE_STYLE= gnu
> -MAKE_FLAGS+= ARPDIR=/var/arpwatch
> +MAKE_FLAGS+= ARPDIR=${VARBASE}/arpwatch
>
> # this provides an up-to-date pregenerated ethercodes.dat file
> RUN_DEPENDS= net/arp-scan,-mac
> @@ -24,6 +24,10 @@
> NO_TEST= Yes
>
> EXAMPLESDIR= ${PREFIX}/share/examples/arpwatch
> +SUBST_VARS += VARBASE
> +
> +pre-build:
> + ${SUBST_CMD} ${WRKSRC}/arpsnmp.8 ${WRKSRC}/arpwatch.8
>
> do-install:
> @sed -i 's,awk -f ,awk -f ${EXAMPLESDIR}/', ${WRKSRC}/massagevendor
> Index: patches/patch-arpsnmp.8
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/patches/patch-arpsnmp.8,v
> retrieving revision 1.2
> diff -u -r1.2 patch-arpsnmp.8
> --- patches/patch-arpsnmp.8 11 May 2018 08:13:26 -0000 1.2
> +++ patches/patch-arpsnmp.8 30 Oct 2018 12:57:00 -0000
> @@ -8,7 +8,7 @@
> .nh
> .nf
> -/usr/operator/arpwatch - default directory
> -+/var/arpwatch - default directory
> ++${VARBASE}/arpwatch - default directory
> arp.dat - ethernet/ip address database
> ethercodes.dat - vendor ethernet block list
> .ad
> Index: patches/patch-arpwatch.8
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/patches/patch-arpwatch.8,v
> retrieving revision 1.1
> diff -u -r1.1 patch-arpwatch.8
> --- patches/patch-arpwatch.8 1 Jun 2001 23:36:32 -0000 1.1
> +++ patches/patch-arpwatch.8 30 Oct 2018 12:57:00 -0000
> @@ -1,13 +1,45 @@
> $OpenBSD: patch-arpwatch.8,v 1.1 2001/06/01 23:36:32 jakob Exp $
>
> ---- arpwatch.8.orig Sat Jun 2 01:22:23 2001
> -+++ arpwatch.8 Sat Jun 2 01:22:47 2001
> -@@ -152,7 +152,7 @@ addresses was a DECnet address.
> +Add -u flag, to drop privileges to that user given
> +
> +Index: arpwatch.8
> +--- arpwatch.8.orig
> ++++ arpwatch.8
> +@@ -43,6 +43,9 @@ arpwatch - keep track of ethernet/ip address pairings
> + ]] [
> + .B -r
> + .I file
> ++] [
> ++.B -u
> ++.I username
> + ]
> + .ad
> + .SH DESCRIPTION
> +@@ -94,6 +97,18 @@ of reading from the network. In this case,
> + .B arpwatch
> + does not fork.
> + .LP
> ++The
> ++.B -u
> ++flag instructs
> ++.B arpwatch
> ++to drop root privileges and change the UID to
> ++.I username
> ++and GID to the primary group of
> ++.I username .
> ++This is recommended for security reasons, but
> ++.I username
> ++has to have write access to the default directory.
> ++.LP
> + Note that an empty
> + .I arp.dat
> + file must be created before the first time you run
> +@@ -152,7 +167,7 @@ addresses was a DECnet address.
> .na
> .nh
> .nf
> -/usr/operator/arpwatch - default directory
> -+/var/arpwatch - default directory
> ++${VARBASE}/arpwatch - default directory
> arp.dat - ethernet/ip address database
> ethercodes.dat - vendor ethernet block list
> .ad
> Index: patches/patch-arpwatch_c
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/patches/patch-arpwatch_c,v
> retrieving revision 1.1
> diff -u -r1.1 patch-arpwatch_c
> --- patches/patch-arpwatch_c 15 May 2018 19:10:24 -0000 1.1
> +++ patches/patch-arpwatch_c 30 Oct 2018 12:57:00 -0000
> @@ -2,11 +2,80 @@
>
> - Do not bail if the interface does not have an IP assigned.
> - time_t format string fixes
> +- add -u flag, to drop privileges to that user
>
> Index: arpwatch.c
> --- arpwatch.c.orig
> +++ arpwatch.c
> -@@ -223,9 +223,11 @@ main(int argc, char **argv)
> +@@ -63,6 +63,9 @@ struct rtentry;
> + #include <syslog.h>
> + #include <unistd.h>
> +
> ++#include <pwd.h>
> ++#include <grp.h>
> ++
> + #include <pcap.h>
> +
> + #include "gnuc.h"
> +@@ -141,6 +144,24 @@ int sanity_ether(struct ether_header *, struct
> ether_a
> + int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
> + __dead void usage(void) __attribute__((volatile));
> +
> ++void dropprivileges(const char* user)
> ++{
> ++ struct passwd* pw;
> ++ pw = getpwnam( user );
> ++ if ( pw ) {
> ++ if ( initgroups(pw->pw_name, pw->pw_gid) != 0 ||
> setgid(pw->pw_gid) != 0 ||
> ++ setuid(pw->pw_uid) != 0 ) {
> ++ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d
> gid=%d", user,pw->pw_uid, pw->pw_gid);
> ++ exit(1);
> ++ }
> ++ }
> ++ else {
> ++ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd",
> user);
> ++ exit(1);
> ++ }
> ++ syslog(LOG_INFO, "Running as uid=%d gid=%d", getuid(), getgid());
> ++}
> ++
> + int
> + main(int argc, char **argv)
> + {
> +@@ -153,6 +174,7 @@ main(int argc, char **argv)
> + register char *interface, *rfilename;
> + struct bpf_program code;
> + char errbuf[PCAP_ERRBUF_SIZE];
> ++ char* username = NULL;
> +
> + if (argv[0] == NULL)
> + prog = "arpwatch";
> +@@ -170,7 +192,7 @@ main(int argc, char **argv)
> + interface = NULL;
> + rfilename = NULL;
> + pd = NULL;
> +- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
> ++ while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
> + switch (op) {
> +
> + case 'd':
> +@@ -202,6 +224,15 @@ main(int argc, char **argv)
> + rfilename = optarg;
> + break;
> +
> ++ case 'u':
> ++ if ( optarg ) {
> ++ username = strdup(optarg);
> ++ } else {
> ++ fprintf(stderr, "%s: Need username after -u\n",
> prog);
> ++ usage();
> ++ }
> ++ break;
> ++
> + default:
> + usage();
> + }
> +@@ -223,9 +254,11 @@ main(int argc, char **argv)
>
> /* Determine network and netmask */
> if (pcap_lookupnet(interface, &net, &netmask, errbuf) < 0) {
> @@ -21,7 +90,26 @@
> }
>
> /* Drop into the background if not debugging */
> -@@ -401,7 +403,7 @@ process_ether(register u_char *u, register const struc
> +@@ -279,12 +312,16 @@ main(int argc, char **argv)
> + #endif
> + }
> +
> ++ if ( username ) {
> ++ dropprivileges( username );
> ++ } else {
> + /*
> + * Revert to non-privileged user after opening sockets
> + * (not needed on most systems).
> + */
> +- setgid(getgid());
> +- setuid(getuid());
> ++ setgid(getgid());
> ++ setuid(getuid());
> ++ }
> +
> + /* Must be ethernet or fddi */
> + linktype = pcap_datalink(pd);
> +@@ -401,7 +438,7 @@ process_ether(register u_char *u, register const struc
> t = h->ts.tv_sec;
> can_checkpoint = 0;
> if (!ent_add(sia, sea, t, NULL))
> @@ -30,7 +118,7 @@
> intoa(sia), e2str(sea), t);
> can_checkpoint = 1;
> }
> -@@ -550,7 +552,7 @@ process_fddi(register u_char *u, register const struct
> +@@ -550,7 +587,7 @@ process_fddi(register u_char *u, register const struct
> t = h->ts.tv_sec;
> can_checkpoint = 0;
> if (!ent_add(sia, sea, t, NULL))
> @@ -38,4 +126,13 @@
> + syslog(LOG_ERR, "ent_add(%s, %s, %lld) failed",
> intoa(sia), e2str(sea), t);
> can_checkpoint = 1;
> + }
> +@@ -750,7 +787,7 @@ usage(void)
> + extern char version[];
> +
> + (void)fprintf(stderr, "Version %s\n", version);
> +- (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
> ++ (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface] [-u
> username]"
> + " [-n net[/width]] [-r file]\n", prog);
> + exit(1);
> }
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/pkg/PLIST,v
> retrieving revision 1.11
> diff -u -r1.11 PLIST
> --- pkg/PLIST 16 May 2018 12:37:32 -0000 1.11
> +++ pkg/PLIST 30 Oct 2018 12:57:00 -0000
> @@ -1,14 +1,20 @@
> @comment $OpenBSD: PLIST,v 1.11 2018/05/16 12:37:32 jasper Exp $
> +@newgroup _arpwatch:820
> +@newuser _arpwatch:820:_arpwatch:daemon:arpwatch
> user:/nonexistent:/sbin/nologin
> @man man/man8/arpsnmp.8
> @man man/man8/arpwatch.8
> @bin sbin/arpsnmp
> @bin sbin/arpwatch
> -@sample /var/arpwatch/
> +@owner _arpwatch
> +@sample ${VARBASE}/arpwatch/
> +@owner
> share/examples/arpwatch/
> share/examples/arpwatch/arp.dat
> @mode 644
> -@sample /var/arpwatch/arp.dat
> +@owner _arpwatch
> +@sample ${VARBASE}/arpwatch/arp.dat
> @mode
> +@owner
> share/examples/arpwatch/arp2ethers
> share/examples/arpwatch/d.awk
> share/examples/arpwatch/duplicates.awk
> Index: pkg/arpwatch.rc
> ===================================================================
> RCS file: /cvs/ports/net/arpwatch/pkg/arpwatch.rc,v
> retrieving revision 1.2
> diff -u -r1.2 arpwatch.rc
> --- pkg/arpwatch.rc 11 Jan 2018 19:27:04 -0000 1.2
> +++ pkg/arpwatch.rc 30 Oct 2018 12:57:00 -0000
> @@ -3,6 +3,7 @@
> # $OpenBSD: arpwatch.rc,v 1.2 2018/01/11 19:27:04 rpe Exp $
>
> daemon="${TRUEPREFIX}/sbin/arpwatch"
> +daemon_flags="-u _arpwatch"
>
> . /etc/rc.d/rc.subr
>
--
Antoine
