File: SECURITY

package info (click to toggle)
mtr 0.48-1
  • links: PTS
  • area: main
  • in suites: woody
  • size: 488 kB
  • ctags: 428
  • sloc: ansic: 3,348; sh: 285; makefile: 78
file content (33 lines) | stat: -rw-r--r-- 1,450 bytes parent folder | download | duplicates (9)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
SECURITY ISSUES RELATED TO MTR

You can limit mtr usage to the root user by not putting a setuid bit
on the mtr binary. In that case, the security implications are
minimal. 

Or you can make mtr setuid-root, and the following applies to you....

Since mtr is installed as suid-root, some concern over security is
justified.  Since version 0.21 of mtr, does the following two things
after it is launched:

*  mtr requests a pair of raw sockets from the kernel.  
*  mtr sets the effective uid to match the real uid.

See main() in mtr.c and net_preopen() in net.c for the details of this
process.  Note that no code from GTK+ or curses is executed before the
drop in permissions.

This should severely limit the possibilities of using mtr to breach
system security.  This means the worst case scenerio is as follows:

Due to some oversight in the mtr code, a malicious user is able to
overrun one of mtr's internal buffers with binary code that is
eventually executed.  The malicious user is still not able to read
from or write to any system files which they wouldn't normally have
permission to write to.  The only priveledge gained is access to the
raw socket descriptors, which would allow the malicious user to listen
to all ICMP packets arriving at the system, and send forged packets
with arbitrary contents.

If you have further questions or comments about security issues,
please direct them to the mtr mailing list.  See README for details.