Bug#617424: marked as done (Consider improving enclosure of daemon.)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 20 Oct 2014 21:30:11 +0000
with message-id <E1XgKWp-0003Nl-Lz@franck.debian.org>
and subject line Bug#617424: fixed in tcpspy 1.7d-9
has caused the Debian Bug report #617424,
regarding Consider improving enclosure of daemon.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
617424: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617424
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: Consider improving enclosure of daemon.
• From: Mats Erik Andersson <mats.andersson@gisladisker.se>
• Date: Tue, 8 Mar 2011 21:14:30 +0100
• Message-id: <20110308201430.GA28040@mea.homelinux.org>

Package: tcpspy
Version: 1.7d-4
Severity: wishlist
Tags: patch

Tcpspy is clearly intended to be a long living daemon.
As such it is reacting on an alarmingly large number
of signals. One could also argue that it would benefit
slightly from a stricter handling of file descriptors,
more in line with security measures for other daemons.
I contribute one mode of implementing these changes.

Best regards,
  Mats Erik Andersson, DM

Description: Improve security in daemonised execution.
 Ignore signals irrelevant to a long living daemon
 which was crafted with orderly shutdown.
 .
 Replace standard file descriptors with a tie to "/dev/null".
 .
 Yield controlling terminal properly by seting session ID.
Author: Mats Erik Andersson <debian@gisladisker.se>
Forwarded: no
Last-Update: 2011-03-08

--- tcpspy-1.7d.debian/tcpspy.c	2002-01-25 02:01:02.000000000 +0100
+++ tcpspy-1.7d/tcpspy.c	2011-03-08 20:56:37.000000000 +0100
@@ -53,7 +53,10 @@
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#include <sys/stat.h>	/* umask() */
+#include <fcntl.h>	/* open /dev/null */
 #include <unistd.h>
+#include <paths.h>	/* _PATH_DEVNULL */
 
 #include "log.h"
 #include "rcsid.h"
@@ -607,7 +610,16 @@
 
 	if (debug == 0) {
 		pid_t p;
+		int nullfd;
 
+		/* Hinder early disturbance generated by terminal. */
+		signal (SIGHUP,  SIG_IGN);
+		signal (SIGINT,  SIG_IGN);
+		signal (SIGQUIT, SIG_IGN);
+		signal (SIGTSTP, SIG_IGN);
+		signal (SIGUSR1, SIG_IGN);
+		signal (SIGUSR2, SIG_IGN);
+ 
 		/* 1st fork */
 		p = fork();
 		if (p < 0) {
@@ -617,6 +629,13 @@
 		} else if (p != 0)
 			exit (0);
 
+		/* Give up controlling terminal */
+		if (setsid () < 0) {
+			fprintf (stderr, "tcpspy: setsid: %s\n",
+					strerror (errno));
+			exit (EXIT_FAILURE);
+		}
+
 		/* 2nd fork */
 		p = fork();
 		if (p < 0) {
@@ -630,11 +649,22 @@
 		}
 
 		ioctl (STDIN_FILENO, TIOCNOTTY, NULL);
-		close (STDIN_FILENO); 
-		close (STDOUT_FILENO); 
-		close (STDERR_FILENO);
+
+		nullfd = open (_PATH_DEVNULL, O_RDWR, 0);
+		if (nullfd < 0) {
+			fprintf (stderr, "tcpspy: cannot open %s\n",
+					_PATH_DEVNULL);
+			exit (EXIT_FAILURE);
+		}
+
+		dup2 (nullfd, STDIN_FILENO);
+		dup2 (nullfd, STDOUT_FILENO);
+		dup2 (nullfd, STDERR_FILENO);
+		close (nullfd);
+
 		setpgid (0, 0);
 		chdir ("/");
+		umask (0);
 	} else
 		fprintf (stderr, "tcpspy 1.7d started (debug)\n");
 

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: 617424-close@bugs.debian.org
• Subject: Bug#617424: fixed in tcpspy 1.7d-9
• From: Joao Eriberto Mota Filho <eriberto@debian.org>
• Date: Mon, 20 Oct 2014 21:30:11 +0000
• Message-id: <E1XgKWp-0003Nl-Lz@franck.debian.org>

Source: tcpspy
Source-Version: 1.7d-9

We believe that the bug you reported is fixed in the latest version of
tcpspy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 617424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joao Eriberto Mota Filho <eriberto@debian.org> (supplier of updated tcpspy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 16 Oct 2014 17:07:26 -0300
Source: tcpspy
Binary: tcpspy
Architecture: source amd64
Version: 1.7d-9
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Joao Eriberto Mota Filho <eriberto@debian.org>
Description:
 tcpspy     - Incoming and Outgoing TCP/IP connections logger
Closes: 616355 616473 617424
Changes:
 tcpspy (1.7d-9) unstable; urgency=medium
 .
   * QA upload.
   * Upload to unstable.
   * Fixed a FTBFS in some architectures. Thanks a lot to
     Luis Valdes <luisvaldes88@gmail.com>.
   * debian/control: updated the long description.
   * debian/copyright:
       - Migrated to 1.0 format.
       - Updated the upstream and packaging data.
   * debian/manpages: created to install all manpages.
   * debian/patches/:
       - Added the 'add_support_to_ipv6' patch, written by Mats Erik Andersson
         <debian@gisladisker.se> and reviewed by Joao Eriberto Mota Filho. This
         patch implements an previous patch from the same author too. Part of
         the patch was directly applied to debian/tcpspy.rules.5. Thanks a lot
         to Mats. (Closes: #616355, #616473)
       - Added the 'add_security' patch. Thanks again to Mats Erik Andersson
         <debian@gisladisker.se>. (Closes: #617424)
       - Updated the 'manpage' patch.
   * debian/tcpspy.8: removed because the upstream has a manpage too.
   * debian/tcpspy.init:
       - Added the 'Description' field to header.
       - Added a call to LSB init functions.
       - Added a test to check the '/etc/tcpspy.rules' file presence.
       - added the 'status' option.
Checksums-Sha1:
 08df890eae4b292739554917c730bacc02a2c883 1646 tcpspy_1.7d-9.dsc
 2faed868482b07de2a41ab7469219b64e7ab978f 12072 tcpspy_1.7d-9.debian.tar.xz
 878eefd97658a6748fd2a78fd397682fbb7b8066 31362 tcpspy_1.7d-9_amd64.deb
Checksums-Sha256:
 81d91ceceea6e7e88a7f60071335d9eaef33f403ae91729bc008f9f34c91bef5 1646 tcpspy_1.7d-9.dsc
 af66de7855250d6d15351d0ac18c11fe1976a70bcbb535d80ccd768ab120a077 12072 tcpspy_1.7d-9.debian.tar.xz
 54390783d2423de5b3d478917c219c20b6fb4d46f9b6a7d621771a122423d2f9 31362 tcpspy_1.7d-9_amd64.deb
Files:
 b41bd31202bc395227bf2e0c9dde2749 1646 net optional tcpspy_1.7d-9.dsc
 dcda6c5773086e9749c19d6385280354 12072 net optional tcpspy_1.7d-9.debian.tar.xz
 647ee93ca620f2a39c9522d4e85026ec 31362 net optional tcpspy_1.7d-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJURWUdAAoJEN5juccE6+nvo0QQAKWCs/NzaczR9er6c4ptrAet
I0e1ivdJoqdYmNI5ghQER+MOH70i+EKnq8iF8p9XaMtvH43FKP9gbNeZBVA6F3fJ
gLr7p2WYKgnX0i6Ahidlq3blBqqDy9ff+lp1suMc3tZfUe8Da8kBn2wu4ZjQvZOT
Kj9fOP73fyS69/Xd0vlcYUw4f8zzvzqMU4q+7kkE4dFDQBfH3kra1BCDP8PqIkfp
9b0iVYNAAnijV4T5swskiMzyN/flKAsiRRKB14HPqyoVKS/lAL0/JbS6caAK0szI
1BSzE40Euj9BQGVZv6exDAZSYCd96rBBvXLLUC1wI7Dcg9kJsnnGIgYJ7EFJOWzb
lyK5+dmeEuZpcxLWqggsrwBoOjkXCOyfZaObdPrmfX+b9DOwSAX4xDgnr+JPRWAG
ig1jAEvEeNpgGcj0tbwIlGCpTmHGh1eYfTSr7Yk85TNUUAxR7dSNNBaGWxsY+0wg
55Podeo3Q9ZOPVjy7RP7fOIqw9B2OHF5hiivMU47UnQrbiOyKpdx5pOzvDBoik14
tZIkIirzI0VLuyaBkitf7JxrTYrw0MSmTh4nOjdpDLGUZDXuxs8PK3NjITVXqjbq
tl2hMi+5wT3XnxgR+A+TrYqNoW9MdWzZHtS3/7iunhsbkMK5UT/8fK0qXiWBB59F
vKKWYRCU5IbqsW7Ip+G4
=IpOQ
-----END PGP SIGNATURE-----

--- End Message ---