>From bc01c19df465bec369ded83bf48b069c6ad462d2 Mon Sep 17 00:00:00 2001 From: "Yuriy M. Kaminskiy" Date: Wed, 2 Jan 2013 01:43:01 +0400 Subject: [PATCH 1/7] arping, ping, ping6, traceroute2, clockdiff: drop fsuid at start Prevent ignoring netfilter -m owner checks. With this patch ping correctly blocked by iptables rules, e.g.: $ sudo iptables -I OUTPUT -m owner --uid-owner $UID -j DROP $ ping www.google.com --- arping.c | 9 +++++++++ clockdiff.c | 8 ++++++++ ping_common.c | 9 +++++++++ traceroute6.c | 8 ++++++++ 4 files changed, 34 insertions(+), 0 deletions(-) diff --git a/arping.c b/arping.c index 35408c1..bdf81e9 100644 --- a/arping.c +++ b/arping.c @@ -27,6 +27,9 @@ #include #include #endif +#ifdef __linux__ +#include +#endif #include #include @@ -229,6 +232,12 @@ int modify_capability_raw(int on) perror("arping: setuid"); return -1; } +#ifdef __linux__ + if (on) { + /* FIXME: error handling? setfsuid() have weird return code */ + setfsuid(getuid()); + } +#endif #endif return 0; } diff --git a/clockdiff.c b/clockdiff.c index 7c1ea1b..f12da2d 100644 --- a/clockdiff.c +++ b/clockdiff.c @@ -3,6 +3,9 @@ #include #include #include +#ifdef __linux__ +#include +#endif #include #include #include @@ -561,6 +564,11 @@ main(int argc, char *argv[]) usage(); } +#ifdef __linux__ + // FIXME: error handling? setfsuid() have weird return code + setfsuid(getuid()); +#endif + sock_raw = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); s_errno = errno; diff --git a/ping_common.c b/ping_common.c index 7f82851..12c87a4 100644 --- a/ping_common.c +++ b/ping_common.c @@ -2,6 +2,9 @@ #include #include #include +#ifdef __linux__ +#include +#endif int options; @@ -175,6 +178,12 @@ int modify_capability(int on) perror("seteuid"); return -1; } +#ifdef __linux__ + if (on) { + /* FIXME: error handling? setfsuid() have weird return code */ + setfsuid(uid); + } +#endif return 0; } diff --git a/traceroute6.c b/traceroute6.c index 0538d4b..a14ddb6 100644 --- a/traceroute6.c +++ b/traceroute6.c @@ -266,6 +266,9 @@ char copyright[] = #include #include #include +#ifdef __linux__ +#include +#endif #include "SNAPSHOT.h" @@ -343,6 +346,11 @@ int main(int argc, char *argv[]) int ch, i, on, probe, seq, tos, ttl; int socket_errno; +#ifdef __linux__ + // FIXME: error handling? setfsuid() have weird return code + setfsuid(getuid()); +#endif + icmp_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6); socket_errno = errno; -- 1.7.6.3