[packages/arpwatch.git] / arpwatch-drop.patch

--- arpwatch-2.1a10/arpwatch.c	Sat Oct 14 05:07:35 2000
+++ arpwatch-2.1a10/arpwatch.c	Sun Jun 10 16:22:57 2001
@@ -62,7 +62,7 @@
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
-
+#include <pwd.h>
 #include <pcap.h>
 
 #include "gnuc.h"
@@ -141,6 +141,25 @@
 int	sanity_fddi(struct fddi_header *, struct ether_arp *, int);
 __dead	void usage(void) __attribute__((volatile));
 
+void dropprivileges(const char* user)
+{
+	struct passwd* pw;
+	pw = getpwnam( user );
+	if ( pw ) {
+		if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
+				 setuid(pw->pw_uid) != 0 ) {
+			syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,
+						 pw->pw_uid, pw->pw_gid);
+			exit(1);
+		}
+	}
+	else {
+		syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
+		exit(1);
+	}
+	syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());
+}
+
 int
 main(int argc, char **argv)
 {
@@ -153,6 +172,7 @@
 	register char *interface, *rfilename;
 	struct bpf_program code;
 	char errbuf[PCAP_ERRBUF_SIZE];
+	char* serveruser = NULL;
 
 	if (argv[0] == NULL)
 		prog = "arpwatch";
@@ -170,7 +190,7 @@
 	interface = NULL;
 	rfilename = NULL;
 	pd = NULL;
-	while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
+	while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
 		switch (op) {
 
 		case 'd':
@@ -202,6 +222,16 @@
 			rfilename = optarg;
 			break;
 
+		case 'u':
+			if ( optarg ) {
+				serveruser = strdup(optarg);
+			}
+			else {
+				fprintf(stderr, "%s: Need username after -u\n", prog);
+				usage();
+			}
+			break;
+
 		default:
 			usage();
 		}
@@ -283,8 +313,11 @@
 	 * Revert to non-privileged user after opening sockets
 	 * (not needed on most systems).
 	 */
-	setgid(getgid());
-	setuid(getuid());
+	/*setgid(getgid());*/
+	/*setuid(getuid());*/
+	if ( serveruser ) {
+		dropprivileges( serveruser );
+	}
 
 	/* Must be ethernet or fddi */
 	linktype = pcap_datalink(pd);
@@ -751,6 +784,6 @@
 
 	(void)fprintf(stderr, "Version %s\n", version);
 	(void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
-	    " [-n net[/width]] [-r file]\n", prog);
+	    " [-n net[/width]] [-r file] [-u username]\n", prog);
 	exit(1);
 }
Commit	Line	Data
b801584d PG	1	--- arpwatch-2.1a10/arpwatch.c Sat Oct 14 05:07:35 2000
	2	+++ arpwatch-2.1a10/arpwatch.c Sun Jun 10 16:22:57 2001
	3	@@ -62,7 +62,7 @@
	4	#include <string.h>
	5	#include <syslog.h>
	6	#include <unistd.h>
	7	-
	8	+#include <pwd.h>
	9	#include <pcap.h>
	10
	11	#include "gnuc.h"
	12	@@ -141,6 +141,25 @@
	13	int sanity_fddi(struct fddi_header , struct ether_arp , int);
	14	__dead void usage(void) __attribute__((volatile));
	15
	16	+void dropprivileges(const char* user)
	17	+{
	18	+ struct passwd* pw;
	19	+ pw = getpwnam( user );
	20	+ if ( pw ) {
	21	+ if ( initgroups(pw->pw_name, NULL) != 0 \|\| setgid(pw->pw_gid) != 0 \|\|
	22	+ setuid(pw->pw_uid) != 0 ) {
	23	+ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,
	24	+ pw->pw_uid, pw->pw_gid);
	25	+ exit(1);
	26	+ }
	27	+ }
	28	+ else {
	29	+ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
	30	+ exit(1);
	31	+ }
	32	+ syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());
	33	+}
	34	+
	35	int
	36	main(int argc, char **argv)
	37	{
	38	@@ -153,6 +172,7 @@
	39	register char interface, rfilename;
	40	struct bpf_program code;
	41	char errbuf[PCAP_ERRBUF_SIZE];
	42	+ char* serveruser = NULL;
	43
	44	if (argv[0] == NULL)
	45	prog = "arpwatch";
	46	@@ -170,7 +190,7 @@
	47	interface = NULL;
	48	rfilename = NULL;
	49	pd = NULL;
	50	- while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
	51	+ while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
	52	switch (op) {
	53
	54	case 'd':
	55	@@ -202,6 +222,16 @@
	56	rfilename = optarg;
	57	break;
	58
	59	+ case 'u':
	60	+ if ( optarg ) {
	61	+ serveruser = strdup(optarg);
	62	+ }
	63	+ else {
	64	+ fprintf(stderr, "%s: Need username after -u\n", prog);
65	+ usage();
66	+ }
67	+ break;
68	+
69	default:
70	usage();
71	}
72	@@ -283,8 +313,11 @@
73	* Revert to non-privileged user after opening sockets
74	* (not needed on most systems).
75	*/
76	- setgid(getgid());
77	- setuid(getuid());
78	+ /setgid(getgid());/
79	+ /setuid(getuid());/
80	+ if ( serveruser ) {
81	+ dropprivileges( serveruser );
82	+ }
83
84	/* Must be ethernet or fddi */
85	linktype = pcap_datalink(pd);
86	@@ -751,6 +784,6 @@
87
88	(void)fprintf(stderr, "Version %s\n", version);
89	(void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
90	- " [-n net[/width]] [-r file]\n", prog);
91	+ " [-n net[/width]] [-r file] [-u username]\n", prog);
92	exit(1);
93	}