(CCing QA since the maintainer might be MIA, there have been no answer to quite a lot of bugs in arpwatch, the last upload from him was over two years ago and there has been a NMU in the meantime) I am considering uploading an NMU of arpwatch fixing a number of long standing bugs and making some improvements to the package. Attached is the full diff for the NMU, and here's the changelog: arpwatch (2.1a11-6.2) unstable; urgency=low * Fixed race condition in the bihourly and arpfetch cron scripts. (Closes: #256381) [patch 023_arpfetch] * Added the -u flag to run arpwatch with lower privileges as suggested by Den Gaudet and with a patch based on RedHat's. Also, the 'arpwatch' user is created on postinst and used by the init script (Closes: #217488) [patch 024_username] * Changed test statement in the init script from -f to -x (Closes: #211645) * Added Multicast, VRRP (note), VMWare (retrieved from FreeBSD's ethercodes) and Compaq MAC addresses (Closes: #227375) * Changed the sample lines of the configuration file to just 'root' instead of 'root+ethX@example.com' (Closes: #197138) * Create an empty arp.dat file at /var/lib/arpwatch/ if it does not exist when running 'start_default()' in the init script. This will make arpwatch work even if you have not customised arpwatch.conf or the preinst fails to create that file. (Closes: #145259) [patch 025_arpdat] * Small improvements in arp2ethers so that it uses the default location of the arp.dat file, also noticed this in the manpage. [patch 026_arp2ethers2] Are you OK with this? (If don't see any answer in a few days I will NMU, after all, I already expressed my intent to NMU in #145259) Best regards Javier
diff -Nru arpwatch-2.1a11.old/debian/arpwatch.postinst arpwatch-2.1a11/debian/arpwatch.postinst --- arpwatch-2.1a11.old/debian/arpwatch.postinst 2002-03-07 19:07:39.000000000 +0100 +++ arpwatch-2.1a11/debian/arpwatch.postinst 2004-06-26 20:31:17.000000000 +0200 @@ -1,8 +1,68 @@ #!/bin/sh # arpwatch.postinst: v0.03 2002/03/07 KELEMEN Peter <fuji@debian.org> +# Modified to create arpwatch user and group by Javier Fernandez-Sanguino set -e + +NUSER="arpwatch" +NUSERGROUP="arpwatch" +NUSERHOME="/var/lib/arpwatch" +NUSERFNAME="Arpwatch user" +# Set this to an empty value so its asigned by the system +NUSERID= +NUSERGID= + +case "$1" in + configure) + if ! getent group | grep -q "^$NUSERGROUP:"; then + if [ -n "$NUSERGID" ] ; then + addgroup --quiet --system --gid $NUSERGID $NUSERGROUP + else + addgroup --quiet --system $NUSERGROUP + fi + fi + + if ! getent passwd | grep -q "^$NUSER:"; then + if [ -n "$NUSERID" ] ; then + adduser --quiet --system --home $NUSERHOME \ + --gecos "$NUSERFNAME" \ + --disabled-login \ + --disabled-password \ + --no-create-home \ + --ingroup $NUSERGROUP \ + --shell /bin/bash \ + --uid $NUSERID \ + $NUSER + else + adduser --quiet --system --home $NUSERHOME \ + --gecos "$NUSERFNAME" \ + --disabled-login \ + --disabled-password \ + --no-create-home \ + --ingroup $NUSERGROUP \ + --shell /bin/bash \ + $NUSER + fi + fi + NUSERID=`getent passwd |grep "^$NUSER:" | cut -f 3 -d ':'` + NUSERGID=`getent passwd |grep "^$NUSER:" | cut -f 4 -d ':'` + # Setup the $HOME directory + [ -d $NUSERHOME ] && [ -n "$NUSERID" ] && [ -n "$NUSERGID" ] && { \ + chown -R $NUSERID:$NUSERGID $NUSERHOME ; \ + chmod -R o-rwX $NUSERHOME ; } + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + NAME=arpwatch DBDIR=/var/lib/$NAME DBFILE=arp.dat @@ -23,7 +83,7 @@ [ -d $BACKUPDIR ] || { echo "$NAME: No backup, no restore -- creating empty arp.dat file."; touch $DBDIR/$DBFILE - chown root:root $DBDIR/$DBFILE + chown $NUSER:$NUSERGROUP $DBDIR/$DBFILE chmod 0644 $DBDIR/$DBFILE exit 0 } @@ -33,4 +93,4 @@ #DEBHELPER# -# End of file. +exit 0 diff -Nru arpwatch-2.1a11.old/debian/arpwatch.postrm arpwatch-2.1a11/debian/arpwatch.postrm --- arpwatch-2.1a11.old/debian/arpwatch.postrm 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/arpwatch.postrm 2004-06-26 19:31:33.000000000 +0200 @@ -0,0 +1,54 @@ +#! /bin/sh +# postrm script for rsbac-admin + +NUSER=arpwatch +NGROUP=arpwatch + +set -e + +case "$1" in + purge) + # find first and last SYSTEM_UID numbers + for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do + case $LINE in + FIRST_SYSTEM_UID*) + FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + LAST_SYSTEM_UID*) + LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + *) + ;; + esac + done + # remove system account if necessary + if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then + if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then + if [ -n "$USERID" ]; then + if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ + [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then + deluser --quiet $NUSER || true + # And then remove the group + if GROUPID=`getent group $NGROUP | cut -f 3 -d ':'`; then + delgroup --quiet $NGROUP || true + fi + fi + fi + fi + fi + + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +#DEBHELPER# + +exit 0 diff -Nru arpwatch-2.1a11.old/debian/changelog arpwatch-2.1a11/debian/changelog --- arpwatch-2.1a11.old/debian/changelog 2002-08-10 11:39:47.000000000 +0200 +++ arpwatch-2.1a11/debian/changelog 2004-06-26 20:45:47.000000000 +0200 @@ -1,3 +1,30 @@ +arpwatch (2.1a11-6.2) unstable; urgency=low + + * Fixed race condition in the bihourly and arpfetch cron scripts. + (Closes: #256381) + [patch 023_arpfetch] + * Added the -u flag to run arpwatch with lower privileges as suggested + by Den Gaudet and with a patch based on RedHat's. Also, the + 'arpwatch' user is created on postinst and used by the init + script (Closes: #217488) + [patch 024_username] + * Changed test statement in the init script from -f to -x (Closes: #211645) + * Added Multicast, VRRP (note), VMWare (retrieved from FreeBSD's ethercodes) + and Compaq MAC addresses (Closes: #227375) + * Changed the sample lines of the configuration file to just 'root' + instead of 'root+ethX@example.com' (Closes: #197138) + * Create an empty arp.dat file at /var/lib/arpwatch/ if it does not + exist when running 'start_default()' in the init script. This will + make arpwatch work even if you have not customised arpwatch.conf or + the preinst fails to create that file. + (Closes: #145259) + [patch 025_arpdat] + * Small improvements in arp2ethers so that it uses the default location + of the arp.dat file, also noticed this in the manpage. + [patch 026_arp2ethers2] + + -- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Sat, 26 Jun 2004 18:34:49 +0200 + arpwatch (2.1a11-6.1) unstable; urgency=low * Non maintainer upload diff -Nru arpwatch-2.1a11.old/debian/init.d arpwatch-2.1a11/debian/init.d --- arpwatch-2.1a11.old/debian/init.d 2001-12-17 13:58:56.000000000 +0100 +++ arpwatch-2.1a11/debian/init.d 2004-06-26 20:34:22.000000000 +0200 @@ -4,17 +4,20 @@ # 2001/10/26 fuji@debian.org Support multiple instances. # 2001/11/24 fuji@debian.org Use POSIX-style functions. # 2001/12/17 fuji@debian.org Use --pidfile on startup, fix restart. +# 2004/06/26 jfs@debian.org Run as a different username if possible PATH=/sbin:/bin:/usr/sbin:/usr/bin NAME=arpwatch DAEMON=/usr/sbin/$NAME DESC="Ethernet/FDDI station monitor daemon" DATADIR=/var/lib/$NAME +# Run as a non-root user (empty this value to run as root) +MYUSER=arpwatch +CONF=/etc/arpwatch.conf -test -f $DAEMON || exit 0 +test -x $DAEMON || exit 0 # Decide if we have to deal with multiple interfaces. -CONF=/etc/arpwatch.conf MULTIPLE=0 if [ -r $CONF ]; then grep -c '^[a-z]' $CONF 2>&1 >/dev/null @@ -28,6 +31,17 @@ ARGS="-N -p" fi +# If we want to run as a separate user do so, unless the +# user does not exist +if [ -n "$MYUSER" ] ; then + if getent passwd | grep -q "^$MYUSER:"; then + MYUSER="" + fi +fi +if [ -n "$MYUSER" ] ; then + ARGS="-u $MYUSER $ARGS" +fi + ### You shouldn't touch anything below unless you know what you are doing. start_instance () { @@ -38,6 +52,7 @@ if [ ! -f $DATAFILE ]; then echo "N: Creating arpwatch data file $DATAFILE for ${IFACE}." :> $DATAFILE + [ -n "$MYUSER" ] && chown $MYUSER $DATAFILE fi echo -n "Starting $DESC: " start-stop-daemon --start --quiet \ @@ -78,9 +93,16 @@ } start_default () { + DATAFILE=$DATADIR/arp.dat + if [ ! -f $DATAFILE ]; then + echo "N: Creating arpwatch data file $DATAFILE for default inte +rface." + :> $DATAFILE + [ -n "$MYUSER" ] && chown $MYUSER $DATAFILE + fi echo -n "Starting $DESC: " start-stop-daemon --start --quiet \ - --exec $DAEMON -- $ARGS + --exec $DAEMON -- -f $DATAFILE $ARGS echo "$NAME." } diff -Nru arpwatch-2.1a11.old/debian/local/arpwatch.conf arpwatch-2.1a11/debian/local/arpwatch.conf --- arpwatch-2.1a11.old/debian/local/arpwatch.conf 2001-11-24 17:22:30.000000000 +0100 +++ arpwatch-2.1a11/debian/local/arpwatch.conf 2004-06-26 19:46:17.000000000 +0200 @@ -9,5 +9,7 @@ # You can set global options for all interfaces by editing # /etc/init.d/arpwatch -#eth0 -N -p -m root+eth0@example.com -#eth1 -N -p -m root+eth1@example.com +# Uncomment this lines to have these interfaces monitored +# sending mails to the local root user +#eth0 -N -p -m root +#eth1 -N -p -m root diff -Nru arpwatch-2.1a11.old/debian/local/ethercodes.dat arpwatch-2.1a11/debian/local/ethercodes.dat --- arpwatch-2.1a11.old/debian/local/ethercodes.dat 2002-03-07 18:47:55.000000000 +0100 +++ arpwatch-2.1a11/debian/local/ethercodes.dat 2004-06-26 20:38:16.000000000 +0200 @@ -82,7 +82,7 @@ 0:0:5b Eltec Elektronik AG [Eltec] 0:0:5c Telematics International Inc. 0:0:5d CS Telecom [RCE] -0:0:5e USC Information Sciences Inst [U.S. Department of Defense (IANA)] +0:0:5e USC Information Sciences Inst [U.S. Department of Defense (IANA)] [Note: used by VRRP] 0:0:5f Sumitomo Electric Ind., Ltd. [Sumitomo] 0:0:6 Xerox Corporation 0:0:60 Kontron Elektronik GmbH @@ -4687,6 +4687,7 @@ 0:aa:1 Intel Corporation 0:aa:2 Intel Corporation 0:aa:3c Olivetti Telecom SPA (Olteco) +0:b:cd Compaq Computer Corporation (HP) 0:b0:17 Infogear Technology Corp. 0:b0:19 Casi-Rusco 0:b0:1c Westport Technologies @@ -5511,6 +5512,7 @@ 0:e0:fe Cisco Systems, Inc. [Cisco] 0:e0:ff Security Dynamics Technologies, Inc. 0:e6:d3 Nixdorf Computer Corp. +1:0:5e Internet Multicast 10:0:0 Private 10:0:5a IBM Corporation [IBM] 10:0:90 Hewlett-Packard Advisor products @@ -5710,3 +5712,5 @@ c0:0:0 Western Digital (may be reversed 00 00 C0?) e2:c:f Kingston Technologies ec:10:0 Enance Source Co., Ltd. PC clones(?) +0:bd:11 VMWare Inc +0:bd:fb VMWare Inc diff -Nru arpwatch-2.1a11.old/debian/patches/022_bihourly arpwatch-2.1a11/debian/patches/022_bihourly --- arpwatch-2.1a11.old/debian/patches/022_bihourly 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/patches/022_bihourly 2004-06-26 18:33:52.000000000 +0200 @@ -0,0 +1,11 @@ +--- arpwatch-2.1a11/bihourly.orig 2004-06-26 18:33:22.000000000 +0200 ++++ arpwatch-2.1a11/bihourly 2004-06-26 18:33:24.000000000 +0200 +@@ -10,7 +10,7 @@ + # + list=`cat list` + cname=`cat cname` +-errs=/tmp/bihourly.$$ ++errs=`mktemp -t bihourly.XXXXXX` || exit 1 + # + alist="" + for r in $list; do \ diff -Nru arpwatch-2.1a11.old/debian/patches/023_arpfetch arpwatch-2.1a11/debian/patches/023_arpfetch --- arpwatch-2.1a11.old/debian/patches/023_arpfetch 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/patches/023_arpfetch 2004-06-26 18:36:29.000000000 +0200 @@ -0,0 +1,13 @@ +--- arpwatch-2.1a11/arpfetch.orig 2004-06-26 18:35:32.000000000 +0200 ++++ arpwatch-2.1a11/arpfetch 2004-06-26 18:36:16.000000000 +0200 +@@ -10,8 +10,8 @@ + # + host=$1 + cname=$2 +-temp=/tmp/arpfetch.temp.$$ +-errs=/tmp/arpfetch.errs.$$ ++temp=`mktemp -t arpfetch.temp.XXXXX` || exit 1 ++errs=`mktemp -t arpfetch.errs.XXXXX` || exit 1 + what="ip.ipnettomediatable.ipnettomediaentry.ipnettomediaphysaddress" + # + # Get the data diff -Nru arpwatch-2.1a11.old/debian/patches/024_username arpwatch-2.1a11/debian/patches/024_username --- arpwatch-2.1a11.old/debian/patches/024_username 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/patches/024_username 2004-06-26 20:11:00.000000000 +0200 @@ -0,0 +1,137 @@ +--- arpwatch-2.1a11/arpwatch.8.orig 2004-06-26 20:02:46.000000000 +0200 ++++ arpwatch-2.1a11/arpwatch.8 2004-06-26 20:02:52.000000000 +0200 +@@ -44,6 +44,10 @@ + .B -r + .I file + ] ++] [ ++.B -u ++.I username ++] + .ad + .SH DESCRIPTION + .B Arpwatch +@@ -94,10 +98,26 @@ + .B arpwatch + does not fork. + .LP ++If the ++.B -u ++flag is used, ++.B arpwatch ++drops root privileges and changes user ID to ++.I username ++and group ID to that of the primary group of ++.IR username . ++This is recommended for security reasons. ++.LP + Note that an empty + .I arp.dat + file must be created before the first time you run + .BR arpwatch . ++Also, the default directory (where arp.dat is stored) must be owned ++by ++.I username ++if ++.BR -u ++flag is used. + .LP + .SH "REPORT MESSAGES" + Here's a quick list of the report messages generated by +--- arpwatch-2.1a11/arpwatch.c.orig 2004-06-26 20:10:30.000000000 +0200 ++++ arpwatch-2.1a11/arpwatch.c 2004-06-26 20:10:44.000000000 +0200 +@@ -62,7 +62,8 @@ + #include <string.h> + #include <syslog.h> + #include <unistd.h> +- ++#include <pwd.h> ++#include <grp.h> + #include <pcap.h> + + #include "gnuc.h" +@@ -142,6 +143,24 @@ + int sanity_fddi(struct fddi_header *, struct ether_arp *, int); + __dead void usage(void) __attribute__((volatile)); + ++void dropprivileges(const char* user) ++{ ++ struct passwd* pw; ++ pw = getpwnam( user ); ++ if ( pw ) { ++ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 || ++ setuid(pw->pw_uid) != 0 ) { ++ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid); ++ exit(1); ++ } ++ } ++ else { ++ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user); ++ exit(1); ++ } ++ syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid()); ++} ++ + int + main(int argc, char **argv) + { +@@ -154,6 +173,7 @@ + register char *interface, *rfilename; + struct bpf_program code; + char errbuf[PCAP_ERRBUF_SIZE]; ++ char* serveruser = NULL; + char options[] = + "a" + "d" +@@ -165,6 +185,7 @@ + "p" + "r:" + "s:" ++ "u:" + ; + + if (argv[0] == NULL) +@@ -230,7 +251,15 @@ + case 's': + path_sendmail = optarg; + break; +- ++ case 'u': ++ if ( optarg ) { ++ serveruser = strdup(optarg); ++ } ++ else { ++ fprintf(stderr, "%s: Need username after -u\n", prog); ++ usage(); ++ } ++ break; + default: + usage(); + } +@@ -308,12 +337,16 @@ + #endif + } + ++ if ( serveruser ) { ++ dropprivileges( serveruser ); ++ } else { + /* + * Revert to non-privileged user after opening sockets + * (not needed on most systems). + */ +- setgid(getgid()); +- setuid(getuid()); ++ setgid(getgid()); ++ setuid(getuid()); ++ } + + /* Must be ethernet or fddi */ + linktype = pcap_datalink(pd); +@@ -787,6 +820,7 @@ + "[-n net[/width]] " + "[-r file]\n\t" + "[-s sendmail_path] " ++ "[-u username] " + "\n" + ; + diff -Nru arpwatch-2.1a11.old/debian/patches/025_arpdat arpwatch-2.1a11/debian/patches/025_arpdat --- arpwatch-2.1a11.old/debian/patches/025_arpdat 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/patches/025_arpdat 2004-06-26 19:53:18.000000000 +0200 @@ -0,0 +1,15 @@ +--- arpwatch-2.1a11/arpwatch.8.orig 2004-06-26 19:09:50.000000000 +0200 ++++ arpwatch-2.1a11/arpwatch.8 2004-06-26 19:52:47.000000000 +0200 +@@ -64,7 +64,11 @@ + .B -f + flag is used to set the ethernet/ip address database filename. + The default is +-.IR arp.dat . ++.IR arp.dat ++in the current working directory. ++(Debian specific) The default location for this file for the daemon, ++if not specified will be ++.IR /var/lib/arpwatch/arp.dat . + .LP + The + .B -i diff -Nru arpwatch-2.1a11.old/debian/patches/026_arp2ethers2 arpwatch-2.1a11/debian/patches/026_arp2ethers2 --- arpwatch-2.1a11.old/debian/patches/026_arp2ethers2 1970-01-01 01:00:00.000000000 +0100 +++ arpwatch-2.1a11/debian/patches/026_arp2ethers2 2004-06-26 20:44:54.000000000 +0200 @@ -0,0 +1,55 @@ +--- arpwatch-2.1a11/arp2ethers.orig 2004-06-26 20:39:42.000000000 +0200 ++++ arpwatch-2.1a11/arp2ethers 2004-06-26 20:41:45.000000000 +0200 +@@ -17,8 +17,18 @@ + # + # 2000-03-21 Erik Warmelink <erik@selwerd.nl> + # Use next instead of continue in included p.awk. ++# ++# 2004-06-26 Javier Fernandez-Sanguino <jfs@debian.org> ++# Use a default file or the one provided in the command line ++ ++FILE=/var/lib/arpwatch/arp.dat ++[ -n "$1" ] && FILE=$1 ++[ -r "$FILE" ] && { ++ echo "Cannot read file $FILE" ++ exit 1 ++} + +-sort +2rn arp.dat | \ ++sort +2rn $FILE | \ + awk 'NF == 4 { print }' | \ + # 1999-04-12 KELEMEN Peter <fuji@debian.org> + # awk -f p.awk | \ +--- arpwatch-2.1a11/arp2ethers.8.orig 2004-06-26 20:39:48.000000000 +0200 ++++ arpwatch-2.1a11/arp2ethers.8 2004-06-26 20:43:39.000000000 +0200 +@@ -4,12 +4,16 @@ + .SH SYNOPSIS + .na + .B arp2ethers ++[ ++.B arp.dat file ++] + .ad + .SH "DESCRIPTION" + .B arp2ethers +-converts a file named +-.IR arp.dat +-in the current working directory into ++converts the file ++.IR /var/lib/arpwatch/arp.dat ++(or the file specified in the command line) ++into + .BR ethers(5) + format on + .IR stdout . +@@ -17,6 +21,10 @@ + .IR arp.dat + is an ethernet/ip database file generated by + .BR arpwatch(8) . ++The Debian daemon will create different ++.IR arp.dat ++depending on its configuration. All of them will be available at ++.IR /var/lib/arpwatch/ . + .SH FILES + .na + .nh
Attachment:
signature.asc
Description: Digital signature