arpwatch-drop.patch

   1 --- arpwatch-2.1a10/arpwatch.c  Sat Oct 14 05:07:35 2000
   2 +++ arpwatch-2.1a10/arpwatch.c  Sun Jun 10 16:22:57 2001
   3 @@ -62,7 +62,7 @@
   4  #include <string.h>
   5  #include <syslog.h>
   6  #include <unistd.h>
   7 -
   8 +#include <pwd.h>
   9  #include <pcap.h>
  10
  11  #include "gnuc.h"
  12 @@ -141,6 +141,25 @@
  13  int    sanity_fddi(struct fddi_header *, struct ether_arp *, int);
  14  __dead void usage(void) __attribute__((volatile));
  15
  16 +void dropprivileges(const char* user)
  17 +{
  18 +       struct passwd* pw;
  19 +       pw = getpwnam( user );
  20 +       if ( pw ) {
  21 +               if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
  22 +                                setuid(pw->pw_uid) != 0 ) {
  23 +                       syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,
  24 +                                                pw->pw_uid, pw->pw_gid);
  25 +                       exit(1);
  26 +               }
  27 +       }
  28 +       else {
  29 +               syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
  30 +               exit(1);
  31 +       }
  32 +       syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());
  33 +}
  34 +
  35  int
  36  main(int argc, char **argv)
  37  {
  38 @@ -153,6 +172,7 @@
  39         register char *interface, *rfilename;
  40         struct bpf_program code;
  41         char errbuf[PCAP_ERRBUF_SIZE];
  42 +       char* serveruser = NULL;
  43
  44         if (argv[0] == NULL)
  45                 prog = "arpwatch";
  46 @@ -170,7 +190,7 @@
  47         interface = NULL;
  48         rfilename = NULL;
  49         pd = NULL;
  50 -       while ((op = getopt(argc, argv, "df:i:n:Nr:")) != EOF)
  51 +       while ((op = getopt(argc, argv, "df:i:n:Nr:u:")) != EOF)
  52                 switch (op) {
  53
  54                 case 'd':
  55 @@ -202,6 +222,16 @@
  56                         rfilename = optarg;
  57                         break;
  58
  59 +               case 'u':
  60 +                       if ( optarg ) {
  61 +                               serveruser = strdup(optarg);
  62 +                       }
  63 +                       else {
  64 +                               fprintf(stderr, "%s: Need username after -u\n", prog);
  65 +                               usage();
  66 +                       }
  67 +                       break;
  68 +
  69                 default:
  70                         usage();
  71                 }
  72 @@ -283,8 +313,11 @@
  73          * Revert to non-privileged user after opening sockets
  74          * (not needed on most systems).
  75          */
  76 -       setgid(getgid());
  77 -       setuid(getuid());
  78 +       /*setgid(getgid());*/
  79 +       /*setuid(getuid());*/
  80 +       if ( serveruser ) {
  81 +               dropprivileges( serveruser );
  82 +       }
  83
  84         /* Must be ethernet or fddi */
  85         linktype = pcap_datalink(pd);
  86 @@ -751,6 +784,6 @@
  87
  88         (void)fprintf(stderr, "Version %s\n", version);
  89         (void)fprintf(stderr, "usage: %s [-dN] [-f datafile] [-i interface]"
  90 -           " [-n net[/width]] [-r file]\n", prog);
  91 +           " [-n net[/width]] [-r file] [-u username]\n", prog);
  92         exit(1);
  93  }