|
Packit |
b802ec |
SECURITY ISSUES RELATED TO MTR
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
mtr invokes a sub-process, mtr-packet, which requires extra privileges
|
|
Packit |
b802ec |
to send custom packets, and there are security implications from
|
|
Packit |
b802ec |
granting this.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
There are several different ways to provide the privileges:
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
1. Add limited privileges on systems that support this. (Preferred.)
|
|
Packit |
b802ec |
2. Run mtr as the root user.
|
|
Packit |
b802ec |
3. Make mtr-packet a setuid-root binary.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
Details:
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
1. Add limited privileges on systems that support this.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
Some operating systems allow binaries to be run with only the subset
|
|
Packit |
b802ec |
of security privileges that are actually needed.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
Linux:
|
|
Packit |
b802ec |
On Linux, privileges are known as capabilities. The only additional
|
|
Packit |
b802ec |
capability that mtr-packet needs is cap_net_raw. To give this
|
|
Packit |
b802ec |
capability to the mtr-packet binary, run the following command as root:
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
# setcap cap_net_raw+ep mtr-packet
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
2. Run mtr as the root user.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
You can limit mtr usage to the root user by not putting a setuid bit
|
|
Packit |
b802ec |
on the mtr-packet binary. In that case, the security implications are
|
|
Packit |
b802ec |
minimal.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
3. Make mtr-packet a setuid-root binary.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
The mtr-packet binary can be made setuid-root, which is what "make install"
|
|
Packit |
b802ec |
does by default.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
When mtr-packet is installed as suid-root, some concern over security is
|
|
Packit |
b802ec |
justified. mtr-packet does the following two things after it is launched:
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
* mtr-packet open sockets for sending raw packets and for receiving
|
|
Packit |
b802ec |
ICMP packets.
|
|
Packit |
b802ec |
* mtr-packet drops root privileges by setting the effective uid to
|
|
Packit |
b802ec |
match uid or the user calling mtr.
|
|
Packit |
b802ec |
* If capabilities support is available, mtr-packet drops all privileged
|
|
Packit |
b802ec |
capabilities.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
See main() in packet.c and init_net_state_privileged() in probe_unix.c
|
|
Packit |
b802ec |
for the details of this process.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
This should limit the possibilities of using mtr to breach system security.
|
|
Packit |
b802ec |
The worst case scenario is as follows:
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
Due to some oversight in the mtr-packet code, a malicious user is able to
|
|
Packit |
b802ec |
overrun one of mtr-packets's internal buffers with binary code that is
|
|
Packit |
b802ec |
eventually executed. The malicious user is still not able to read
|
|
Packit |
b802ec |
from or write to any system files other than those normally accessible
|
|
Packit |
b802ec |
by the user running mtr. The only privileges gained are access to the raw
|
|
Packit |
b802ec |
socket, which would allow the malicious user to listen to all ICMP packets
|
|
Packit |
b802ec |
arriving at the system, and to send forged packets with arbitrary contents.
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
|
|
Packit |
b802ec |
If you have further questions or comments about security issues,
|
|
Packit |
b802ec |
please see the README file for details on how to submit them.
|