netbsd-bugs: bin/28741: ping does not drop privs

Subject: bin/28741: ping does not drop privs
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <mike@ethmoid.org>
List: netbsd-bugs
Date: 12/21/2004 21:00:01

>Number:         28741
>Category:       bin
>Synopsis:       ping does drop root privileges
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 21 21:00:00 +0000 2004
>Originator:     Michael Santos
>Release:        NetBSD 2.99.11
>Organization:
	
>Environment:
	
	
System: NetBSD ack 2.99.11 NetBSD 2.99.11 (ack) #89: Sun Dec 19 17:17:33 EST 2004 root@ack:/home/build/src/sys/arch/i386/compile/obj/ack i386
Architecture: i386
Machine: i386
>Description:
ping keeps root privileges even after done performing the actions
requiring privs.

Note: the handling of setuid in differents apps is a bit inconsistent.
Some of them (/sbin/ping6) call seteuid() and setuid() after
performing tasks such as option processing that do not require root
privs (/usr/sbin/tracroute). Others (/usr/sbin/lock) do not call
seteuid() first, but do check the return value of setuid().

>How-To-Repeat:
	
>Fix:

Index: ping.c
===================================================================
RCS file: /cvsroot/src/sbin/ping/ping.c,v
retrieving revision 1.77
diff -U2 -r1.77 ping.c
--- ping.c	13 May 2004 20:27:38 -0000	1.77
+++ ping.c	21 Dec 2004 20:48:43 -0000
@@ -261,5 +261,14 @@
 #endif
 #endif
-  
+
+	if ((s = cap_socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
+		err(1, "Cannot create socket");
+
+	if ((sloop = cap_socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
+		err(1, "Cannot create socket");
+
+	/* revoke privs */
+	(void)seteuid(getuid());
+	(void)setuid(getuid());
 
 	setprogname(argv[0]);
@@ -462,6 +471,4 @@
 	ident = arc4random() & 0xFFFF;
 
-	if ((s = cap_socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
-		err(1, "Cannot create socket");
 	if (options & SO_DEBUG) {
 		if (setsockopt(s, SOL_SOCKET, SO_DEBUG,
@@ -475,6 +482,4 @@
 	}
 
-	if ((sloop = cap_socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) < 0)
-		err(1, "Cannot create socket");
 	if (options & SO_DEBUG) {
 		if (setsockopt(sloop, SOL_SOCKET, SO_DEBUG,

>Unformatted: