diff options
| author |   deraadt <deraadt@openbsd.org> | 2015-10-03 02:22:38 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2015-10-03 02:22:38 +0000 |
| commit | 4ce763af9e173c9db3a57d3e807b17b9017a5800 (patch) | |
| tree | ea8ea97a052f54eaaa4c216b79b0bdb48193f73f /usr.sbin/traceroute | |
| parent | uniq has a complicated initialization around getopt. beforehands, we (diff) | |
| download | wireguard-openbsd-4ce763af9e173c9db3a57d3e807b17b9017a5800.tar.xz wireguard-openbsd-4ce763af9e173c9db3a57d3e807b17b9017a5800.zip | |
like ping, traceroute is a setuid root priv-drop which holds a sockraw.
we can tame it substantially with "stdio inet", plus "dns" if the -n option
is missing. a successful exploit against it then cannot create files, or
perform a variety of other operations, as described in the tame(2) man page.
florian helped me a fair bit hoisting initization code upwards in ping,
ping6, and traceroute, to make tame work here.
Diffstat (limited to 'usr.sbin/traceroute')
| -rw-r--r-- | usr.sbin/traceroute/traceroute.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr.sbin/traceroute/traceroute.c b/usr.sbin/traceroute/traceroute.c index 2e8ceda859c..b25984e8bf8 100644 --- a/usr.sbin/traceroute/traceroute.c +++ b/usr.sbin/traceroute/traceroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: traceroute.c,v 1.141 2015/08/30 22:10:57 florian Exp $ */ +/* $OpenBSD: traceroute.c,v 1.142 2015/10/03 02:22:38 deraadt Exp $ */ /* $NetBSD: traceroute.c,v 1.10 1995/05/21 15:50:45 mycroft Exp $ */ /* @@ -844,6 +844,14 @@ main(int argc, char *argv[]) sizeof(datalen)) < 0) err(6, "SO_SNDBUF"); + if (nflag) { + if (tame("stdio inet", NULL) == -1) + err(1, "tame"); + } else { + if (tame("stdio inet dns", NULL) == -1) + err(1, "tame"); + } + if (getnameinfo(to, to->sa_len, hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) strlcpy(hbuf, "(invalid)", sizeof(hbuf)); |