Blame SECURITY

Packit b802ec
SECURITY ISSUES RELATED TO MTR
Packit b802ec
Packit b802ec
mtr invokes a sub-process, mtr-packet, which requires extra privileges
Packit b802ec
to send custom packets, and there are security implications from
Packit b802ec
granting this.
Packit b802ec
Packit b802ec
There are several different ways to provide the privileges:
Packit b802ec
Packit b802ec
1. Add limited privileges on systems that support this. (Preferred.)
Packit b802ec
2. Run mtr as the root user.
Packit b802ec
3. Make mtr-packet a setuid-root binary.
Packit b802ec
Packit b802ec
Details:
Packit b802ec
Packit b802ec
1. Add limited privileges on systems that support this.
Packit b802ec
Packit b802ec
Some operating systems allow binaries to be run with only the subset
Packit b802ec
of security privileges that are actually needed.
Packit b802ec
Packit b802ec
Linux:
Packit b802ec
On Linux, privileges are known as capabilities. The only additional
Packit b802ec
capability that mtr-packet needs is cap_net_raw. To give this
Packit b802ec
capability to the mtr-packet binary, run the following command as root:
Packit b802ec
Packit b802ec
# setcap cap_net_raw+ep mtr-packet
Packit b802ec
Packit b802ec
Packit b802ec
2. Run mtr as the root user.
Packit b802ec
Packit b802ec
You can limit mtr usage to the root user by not putting a setuid bit
Packit b802ec
on the mtr-packet binary. In that case, the security implications are
Packit b802ec
minimal.
Packit b802ec
Packit b802ec
Packit b802ec
3. Make mtr-packet a setuid-root binary.
Packit b802ec
Packit b802ec
The mtr-packet binary can be made setuid-root, which is what "make install"
Packit b802ec
does by default.
Packit b802ec
Packit b802ec
When mtr-packet is installed as suid-root, some concern over security is
Packit b802ec
justified.  mtr-packet does the following two things after it is launched:
Packit b802ec
Packit b802ec
*  mtr-packet open sockets for sending raw packets and for receiving
Packit b802ec
   ICMP packets.
Packit b802ec
*  mtr-packet drops root privileges by setting the effective uid to
Packit b802ec
   match uid or the user calling mtr.
Packit b802ec
*  If capabilities support is available, mtr-packet drops all privileged
Packit b802ec
   capabilities.
Packit b802ec
Packit b802ec
See main() in packet.c and init_net_state_privileged() in probe_unix.c
Packit b802ec
for the details of this process.
Packit b802ec
Packit b802ec
This should limit the possibilities of using mtr to breach system security.
Packit b802ec
The worst case scenario is as follows:
Packit b802ec
Packit b802ec
Due to some oversight in the mtr-packet code, a malicious user is able to
Packit b802ec
overrun one of mtr-packets's internal buffers with binary code that is
Packit b802ec
eventually executed.  The malicious user is still not able to read
Packit b802ec
from or write to any system files other than those normally accessible
Packit b802ec
by the user running mtr.  The only privileges gained are access to the raw
Packit b802ec
socket, which would allow the malicious user to listen to all ICMP packets
Packit b802ec
arriving at the system, and to send forged packets with arbitrary contents.
Packit b802ec
Packit b802ec
Packit b802ec
If you have further questions or comments about security issues,
Packit b802ec
please see the README file for details on how to submit them.