File arpwatch-2.1a11-drop-privs.dif of Package arpwatch.20084

Index: arpwatch-2.1a15/arpwatch.c
===================================================================
--- arpwatch-2.1a15.orig/arpwatch.c
+++ arpwatch-2.1a15/arpwatch.c
@@ -64,6 +64,8 @@ struct rtentry;
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
 
 #include <pcap.h>
 
@@ -152,6 +154,66 @@ int	sanity_toring(struct toring_header *
 #endif
 __dead	void usage(void) __attribute__((volatile));
 
+void dropprivileges(const char* user)
+{
+	struct passwd* pw;
+	pw = getpwnam( user );
+	if ( pw ) {
+		char *arpfiledir;
+		char *lastslash;
+
+		arpfiledir = malloc(strlen(arpfile)+1);
+		if(arpfiledir == NULL) {
+			syslog(LOG_ERR, "Fatal: malloc().");
+			exit(1);
+		}
+		strcpy(arpfiledir, arpfile);
+		lastslash = strrchr(arpfiledir, '/');
+		if(lastslash == NULL) {
+			syslog(LOG_ERR, "Fatal: cannot determine directory of %s", arpfile);
+			exit(1);
+		}
+		lastslash[0]='\0';
+
+		if (!safe_base_path(arpfiledir)) {
+			syslog(LOG_ERR, "Fatal: directory structure %s not safe, can't operate here. Please make root owner of underlying directories and remove write access for other", arpfiledir);
+			exit(1);
+		}
+
+		// ensure we have a safe place to operate
+		if (lchown( arpfiledir, 0, 0) != 0 ) {
+			syslog(LOG_ERR, "Fatal: could not chown %s to root).", arpfiledir);
+			exit(1);
+		}
+		// change permissions of the file if it exists
+		if (!access(arpfile, F_OK) && lchown ( arpfile, pw->pw_uid, -1) != 0) {
+			syslog(LOG_ERR, "Fatal: could not chown %s to %d).", arpfile, pw->pw_uid);
+			exit(1);
+		}
+		/* files arp.dat.eth0- and arp.dat.eth0.new that are created
+			as backup/lastversion and for temporary storage are
+			deleted before created again, therefor the users needs
+			to control this directory . */
+		if ( lchown ( arpfiledir, pw->pw_uid, -1) != 0 ) {
+			syslog(LOG_ERR, "Fatal: could not chown %s to %d).",
+				arpfiledir, pw->pw_uid);
+			exit(1);
+		}
+		free(arpfiledir);
+		if ( initgroups(pw->pw_name, pw->pw_gid) != 0 || setgid(pw->pw_gid) != 0 ||
+				 setuid(pw->pw_uid) != 0 ) {
+			syslog(LOG_ERR, "Fatal: Couldn't change to user/group '%.32s' uid=%d gid=%d", user,
+						 pw->pw_uid, pw->pw_gid);
+			exit(1);
+		}
+	}
+	else {
+		syslog(LOG_ERR, "No such user: '%.32s'", user);
+		exit(1);
+	}
+	syslog(LOG_DEBUG, "arpwatch running as uid=%d gid=%d", getuid(), getgid());
+}
+
 int
 main(int argc, char **argv)
 {
@@ -164,6 +226,7 @@ main(int argc, char **argv)
 	register char *interface, *rfilename;
 	struct bpf_program code;
 	char errbuf[PCAP_ERRBUF_SIZE];
+	char* serveruser = NULL;
 
 	if (argv[0] == NULL)
 		prog = "arpwatch";
@@ -181,7 +244,7 @@ main(int argc, char **argv)
 	interface = NULL;
 	rfilename = NULL;
 	pd = NULL;
-	while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
+	while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
 		switch (op) {
 
 		case 'd':
@@ -213,6 +276,16 @@ main(int argc, char **argv)
 			rfilename = optarg;
 			break;
 
+		case 'u':
+			if ( optarg ) {
+				serveruser = strdup(optarg);
+			}
+			else {
+				fprintf(stderr, "%s: Need username after -u\n", prog);
+				usage();
+			}
+			break;
+
 		default:
 			usage();
 		}
@@ -295,8 +368,11 @@ main(int argc, char **argv)
 	 * Revert to non-privileged user after opening sockets
 	 * (not needed on most systems).
 	 */
-	setgid(getgid());
-	setuid(getuid());
+	/*setgid(getgid());*/
+	/*setuid(getuid());*/
+	if ( serveruser ) {
+		dropprivileges( serveruser );
+	}
 
 	/* Must be ethernet or fddi or tokenring */
 	linktype = pcap_datalink(pd);
@@ -842,6 +918,6 @@ usage(void)
 
 	(void)fprintf(stderr, "Version %s\n", version);
 	(void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
-	    " [-n net[/width]] [-r file]\n", prog);
+	    " [-n net[/width]] [-r file] [-u username]\n", prog);
 	exit(1);
 }
Index: arpwatch-2.1a15/util.c
===================================================================
--- arpwatch-2.1a15.orig/util.c
+++ arpwatch-2.1a15/util.c
@@ -29,6 +29,7 @@ static const char rcsid[] =
 
 #include <sys/types.h>
 #include <sys/file.h>
+#include <sys/stat.h>
 
 #include <fcntl.h>
 #ifdef HAVE_MEMORY_H
@@ -186,3 +187,47 @@ savestr(register const char *str)
 	strsize -= i;
 	return (cp);
 }
+
+int safe_base_path(char *arpfiledir) {
+	// check directories below arpfiledir for safe ownwership/permissions
+	char *path_component;
+	char *lastslash = NULL;
+	int safe_path = 1;
+
+	if (!arpfiledir) {
+		syslog(LOG_ERR, "Fatal: safe_base_path invalid invocation.");
+		exit(1);
+	}
+
+	path_component = malloc(strlen(arpfiledir)+1);
+	if(path_component == NULL) {
+		syslog(LOG_ERR, "Fatal: malloc().");
+		exit(1);
+	}
+	strcpy(path_component, arpfiledir);
+
+	while ((lastslash = strrchr(path_component, '/'))) {
+		struct stat stats;
+
+		lastslash[0]='\0';
+		if ( lstat(path_component, &stats) ) {
+			/* on the last iteration the string will be empty and this fails,
+			   which is okay, if / is unsafe all is lost anyway and we can
+			   skip the check. Otherwise fail safe if lstat doesn't work */
+			if (strlen(path_component))
+				safe_path = 0;
+		} else {
+			if ( stats.st_uid != 0 ||
+			     stats.st_gid != 0 ||
+			     stats.st_mode & S_IWOTH
+			   ) {
+				 /* this is not a safe path to operate on with privileges because
+				    it isn't owned by root:root or others can write there */
+				safe_path = 0;
+			}
+		}
+	}
+
+	free(path_component);
+	return safe_path;
+}
Index: arpwatch-2.1a15/util.h
===================================================================
--- arpwatch-2.1a15.orig/util.h
+++ arpwatch-2.1a15/util.h
@@ -5,6 +5,7 @@ int	dump(void);
 void	dumpone(u_int32_t, u_char *, time_t, char *);
 int	readdata(void);
 char	*savestr(const char *);
+int safe_base_path(char *);
 
 extern char *arpdir;
 extern char *newarpfile;