(CCing QA since the maintainer might be MIA, there have been no answer to
quite a lot of bugs in arpwatch, the last upload from him was over two
years ago and there has been a NMU in the meantime)
I am considering uploading an NMU of arpwatch fixing a number of long
standing bugs and making some improvements to the package. Attached is the
full diff for the NMU, and here's the changelog:
arpwatch (2.1a11-6.2) unstable; urgency=low
* Fixed race condition in the bihourly and arpfetch cron scripts.
(Closes: #256381)
[patch 023_arpfetch]
* Added the -u flag to run arpwatch with lower privileges as suggested
by Den Gaudet and with a patch based on RedHat's. Also, the
'arpwatch' user is created on postinst and used by the init
script (Closes: #217488)
[patch 024_username]
* Changed test statement in the init script from -f to -x (Closes:
#211645)
* Added Multicast, VRRP (note), VMWare (retrieved from FreeBSD's
ethercodes)
and Compaq MAC addresses (Closes: #227375)
* Changed the sample lines of the configuration file to just 'root'
instead of 'root+ethX@example.com' (Closes: #197138)
* Create an empty arp.dat file at /var/lib/arpwatch/ if it does not
exist when running 'start_default()' in the init script. This will
make arpwatch work even if you have not customised arpwatch.conf or
the preinst fails to create that file.
(Closes: #145259)
[patch 025_arpdat]
* Small improvements in arp2ethers so that it uses the default location
of the arp.dat file, also noticed this in the manpage.
[patch 026_arp2ethers2]
Are you OK with this? (If don't see any answer in a few days I will NMU,
after all, I already expressed my intent to NMU in #145259)
Best regards
Javier
diff -Nru arpwatch-2.1a11.old/debian/arpwatch.postinst arpwatch-2.1a11/debian/arpwatch.postinst
--- arpwatch-2.1a11.old/debian/arpwatch.postinst 2002-03-07 19:07:39.000000000 +0100
+++ arpwatch-2.1a11/debian/arpwatch.postinst 2004-06-26 20:31:17.000000000 +0200
@@ -1,8 +1,68 @@
#!/bin/sh
# arpwatch.postinst: v0.03 2002/03/07 KELEMEN Peter <fuji@debian.org>
+# Modified to create arpwatch user and group by Javier Fernandez-Sanguino
set -e
+
+NUSER="arpwatch"
+NUSERGROUP="arpwatch"
+NUSERHOME="/var/lib/arpwatch"
+NUSERFNAME="Arpwatch user"
+# Set this to an empty value so its asigned by the system
+NUSERID=
+NUSERGID=
+
+case "$1" in
+ configure)
+ if ! getent group | grep -q "^$NUSERGROUP:"; then
+ if [ -n "$NUSERGID" ] ; then
+ addgroup --quiet --system --gid $NUSERGID $NUSERGROUP
+ else
+ addgroup --quiet --system $NUSERGROUP
+ fi
+ fi
+
+ if ! getent passwd | grep -q "^$NUSER:"; then
+ if [ -n "$NUSERID" ] ; then
+ adduser --quiet --system --home $NUSERHOME \
+ --gecos "$NUSERFNAME" \
+ --disabled-login \
+ --disabled-password \
+ --no-create-home \
+ --ingroup $NUSERGROUP \
+ --shell /bin/bash \
+ --uid $NUSERID \
+ $NUSER
+ else
+ adduser --quiet --system --home $NUSERHOME \
+ --gecos "$NUSERFNAME" \
+ --disabled-login \
+ --disabled-password \
+ --no-create-home \
+ --ingroup $NUSERGROUP \
+ --shell /bin/bash \
+ $NUSER
+ fi
+ fi
+ NUSERID=`getent passwd |grep "^$NUSER:" | cut -f 3 -d ':'`
+ NUSERGID=`getent passwd |grep "^$NUSER:" | cut -f 4 -d ':'`
+ # Setup the $HOME directory
+ [ -d $NUSERHOME ] && [ -n "$NUSERID" ] && [ -n "$NUSERGID" ] && { \
+ chown -R $NUSERID:$NUSERGID $NUSERHOME ; \
+ chmod -R o-rwX $NUSERHOME ; }
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
NAME=arpwatch
DBDIR=/var/lib/$NAME
DBFILE=arp.dat
@@ -23,7 +83,7 @@
[ -d $BACKUPDIR ] || {
echo "$NAME: No backup, no restore -- creating empty arp.dat file.";
touch $DBDIR/$DBFILE
- chown root:root $DBDIR/$DBFILE
+ chown $NUSER:$NUSERGROUP $DBDIR/$DBFILE
chmod 0644 $DBDIR/$DBFILE
exit 0
}
@@ -33,4 +93,4 @@
#DEBHELPER#
-# End of file.
+exit 0
diff -Nru arpwatch-2.1a11.old/debian/arpwatch.postrm arpwatch-2.1a11/debian/arpwatch.postrm
--- arpwatch-2.1a11.old/debian/arpwatch.postrm 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/arpwatch.postrm 2004-06-26 19:31:33.000000000 +0200
@@ -0,0 +1,54 @@
+#! /bin/sh
+# postrm script for rsbac-admin
+
+NUSER=arpwatch
+NGROUP=arpwatch
+
+set -e
+
+case "$1" in
+ purge)
+ # find first and last SYSTEM_UID numbers
+ for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
+ case $LINE in
+ FIRST_SYSTEM_UID*)
+ FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+ ;;
+ LAST_SYSTEM_UID*)
+ LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
+ ;;
+ *)
+ ;;
+ esac
+ done
+ # remove system account if necessary
+ if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
+ if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then
+ if [ -n "$USERID" ]; then
+ if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
+ [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
+ deluser --quiet $NUSER || true
+ # And then remove the group
+ if GROUPID=`getent group $NGROUP | cut -f 3 -d ':'`; then
+ delgroup --quiet $NGROUP || true
+ fi
+ fi
+ fi
+ fi
+ fi
+
+ ;;
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+
+
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+
+esac
+
+#DEBHELPER#
+
+exit 0
diff -Nru arpwatch-2.1a11.old/debian/changelog arpwatch-2.1a11/debian/changelog
--- arpwatch-2.1a11.old/debian/changelog 2002-08-10 11:39:47.000000000 +0200
+++ arpwatch-2.1a11/debian/changelog 2004-06-26 20:45:47.000000000 +0200
@@ -1,3 +1,30 @@
+arpwatch (2.1a11-6.2) unstable; urgency=low
+
+ * Fixed race condition in the bihourly and arpfetch cron scripts.
+ (Closes: #256381)
+ [patch 023_arpfetch]
+ * Added the -u flag to run arpwatch with lower privileges as suggested
+ by Den Gaudet and with a patch based on RedHat's. Also, the
+ 'arpwatch' user is created on postinst and used by the init
+ script (Closes: #217488)
+ [patch 024_username]
+ * Changed test statement in the init script from -f to -x (Closes: #211645)
+ * Added Multicast, VRRP (note), VMWare (retrieved from FreeBSD's ethercodes)
+ and Compaq MAC addresses (Closes: #227375)
+ * Changed the sample lines of the configuration file to just 'root'
+ instead of 'root+ethX@example.com' (Closes: #197138)
+ * Create an empty arp.dat file at /var/lib/arpwatch/ if it does not
+ exist when running 'start_default()' in the init script. This will
+ make arpwatch work even if you have not customised arpwatch.conf or
+ the preinst fails to create that file.
+ (Closes: #145259)
+ [patch 025_arpdat]
+ * Small improvements in arp2ethers so that it uses the default location
+ of the arp.dat file, also noticed this in the manpage.
+ [patch 026_arp2ethers2]
+
+ -- Javier Fernandez-Sanguino Pen~a <jfs@computer.org> Sat, 26 Jun 2004 18:34:49 +0200
+
arpwatch (2.1a11-6.1) unstable; urgency=low
* Non maintainer upload
diff -Nru arpwatch-2.1a11.old/debian/init.d arpwatch-2.1a11/debian/init.d
--- arpwatch-2.1a11.old/debian/init.d 2001-12-17 13:58:56.000000000 +0100
+++ arpwatch-2.1a11/debian/init.d 2004-06-26 20:34:22.000000000 +0200
@@ -4,17 +4,20 @@
# 2001/10/26 fuji@debian.org Support multiple instances.
# 2001/11/24 fuji@debian.org Use POSIX-style functions.
# 2001/12/17 fuji@debian.org Use --pidfile on startup, fix restart.
+# 2004/06/26 jfs@debian.org Run as a different username if possible
PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=arpwatch
DAEMON=/usr/sbin/$NAME
DESC="Ethernet/FDDI station monitor daemon"
DATADIR=/var/lib/$NAME
+# Run as a non-root user (empty this value to run as root)
+MYUSER=arpwatch
+CONF=/etc/arpwatch.conf
-test -f $DAEMON || exit 0
+test -x $DAEMON || exit 0
# Decide if we have to deal with multiple interfaces.
-CONF=/etc/arpwatch.conf
MULTIPLE=0
if [ -r $CONF ]; then
grep -c '^[a-z]' $CONF 2>&1 >/dev/null
@@ -28,6 +31,17 @@
ARGS="-N -p"
fi
+# If we want to run as a separate user do so, unless the
+# user does not exist
+if [ -n "$MYUSER" ] ; then
+ if getent passwd | grep -q "^$MYUSER:"; then
+ MYUSER=""
+ fi
+fi
+if [ -n "$MYUSER" ] ; then
+ ARGS="-u $MYUSER $ARGS"
+fi
+
### You shouldn't touch anything below unless you know what you are doing.
start_instance () {
@@ -38,6 +52,7 @@
if [ ! -f $DATAFILE ]; then
echo "N: Creating arpwatch data file $DATAFILE for ${IFACE}."
:> $DATAFILE
+ [ -n "$MYUSER" ] && chown $MYUSER $DATAFILE
fi
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet \
@@ -78,9 +93,16 @@
}
start_default () {
+ DATAFILE=$DATADIR/arp.dat
+ if [ ! -f $DATAFILE ]; then
+ echo "N: Creating arpwatch data file $DATAFILE for default inte
+rface."
+ :> $DATAFILE
+ [ -n "$MYUSER" ] && chown $MYUSER $DATAFILE
+ fi
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet \
- --exec $DAEMON -- $ARGS
+ --exec $DAEMON -- -f $DATAFILE $ARGS
echo "$NAME."
}
diff -Nru arpwatch-2.1a11.old/debian/local/arpwatch.conf arpwatch-2.1a11/debian/local/arpwatch.conf
--- arpwatch-2.1a11.old/debian/local/arpwatch.conf 2001-11-24 17:22:30.000000000 +0100
+++ arpwatch-2.1a11/debian/local/arpwatch.conf 2004-06-26 19:46:17.000000000 +0200
@@ -9,5 +9,7 @@
# You can set global options for all interfaces by editing
# /etc/init.d/arpwatch
-#eth0 -N -p -m root+eth0@example.com
-#eth1 -N -p -m root+eth1@example.com
+# Uncomment this lines to have these interfaces monitored
+# sending mails to the local root user
+#eth0 -N -p -m root
+#eth1 -N -p -m root
diff -Nru arpwatch-2.1a11.old/debian/local/ethercodes.dat arpwatch-2.1a11/debian/local/ethercodes.dat
--- arpwatch-2.1a11.old/debian/local/ethercodes.dat 2002-03-07 18:47:55.000000000 +0100
+++ arpwatch-2.1a11/debian/local/ethercodes.dat 2004-06-26 20:38:16.000000000 +0200
@@ -82,7 +82,7 @@
0:0:5b Eltec Elektronik AG [Eltec]
0:0:5c Telematics International Inc.
0:0:5d CS Telecom [RCE]
-0:0:5e USC Information Sciences Inst [U.S. Department of Defense (IANA)]
+0:0:5e USC Information Sciences Inst [U.S. Department of Defense (IANA)] [Note: used by VRRP]
0:0:5f Sumitomo Electric Ind., Ltd. [Sumitomo]
0:0:6 Xerox Corporation
0:0:60 Kontron Elektronik GmbH
@@ -4687,6 +4687,7 @@
0:aa:1 Intel Corporation
0:aa:2 Intel Corporation
0:aa:3c Olivetti Telecom SPA (Olteco)
+0:b:cd Compaq Computer Corporation (HP)
0:b0:17 Infogear Technology Corp.
0:b0:19 Casi-Rusco
0:b0:1c Westport Technologies
@@ -5511,6 +5512,7 @@
0:e0:fe Cisco Systems, Inc. [Cisco]
0:e0:ff Security Dynamics Technologies, Inc.
0:e6:d3 Nixdorf Computer Corp.
+1:0:5e Internet Multicast
10:0:0 Private
10:0:5a IBM Corporation [IBM]
10:0:90 Hewlett-Packard Advisor products
@@ -5710,3 +5712,5 @@
c0:0:0 Western Digital (may be reversed 00 00 C0?)
e2:c:f Kingston Technologies
ec:10:0 Enance Source Co., Ltd. PC clones(?)
+0:bd:11 VMWare Inc
+0:bd:fb VMWare Inc
diff -Nru arpwatch-2.1a11.old/debian/patches/022_bihourly arpwatch-2.1a11/debian/patches/022_bihourly
--- arpwatch-2.1a11.old/debian/patches/022_bihourly 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/patches/022_bihourly 2004-06-26 18:33:52.000000000 +0200
@@ -0,0 +1,11 @@
+--- arpwatch-2.1a11/bihourly.orig 2004-06-26 18:33:22.000000000 +0200
++++ arpwatch-2.1a11/bihourly 2004-06-26 18:33:24.000000000 +0200
+@@ -10,7 +10,7 @@
+ #
+ list=`cat list`
+ cname=`cat cname`
+-errs=/tmp/bihourly.$$
++errs=`mktemp -t bihourly.XXXXXX` || exit 1
+ #
+ alist=""
+ for r in $list; do \
diff -Nru arpwatch-2.1a11.old/debian/patches/023_arpfetch arpwatch-2.1a11/debian/patches/023_arpfetch
--- arpwatch-2.1a11.old/debian/patches/023_arpfetch 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/patches/023_arpfetch 2004-06-26 18:36:29.000000000 +0200
@@ -0,0 +1,13 @@
+--- arpwatch-2.1a11/arpfetch.orig 2004-06-26 18:35:32.000000000 +0200
++++ arpwatch-2.1a11/arpfetch 2004-06-26 18:36:16.000000000 +0200
+@@ -10,8 +10,8 @@
+ #
+ host=$1
+ cname=$2
+-temp=/tmp/arpfetch.temp.$$
+-errs=/tmp/arpfetch.errs.$$
++temp=`mktemp -t arpfetch.temp.XXXXX` || exit 1
++errs=`mktemp -t arpfetch.errs.XXXXX` || exit 1
+ what="ip.ipnettomediatable.ipnettomediaentry.ipnettomediaphysaddress"
+ #
+ # Get the data
diff -Nru arpwatch-2.1a11.old/debian/patches/024_username arpwatch-2.1a11/debian/patches/024_username
--- arpwatch-2.1a11.old/debian/patches/024_username 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/patches/024_username 2004-06-26 20:11:00.000000000 +0200
@@ -0,0 +1,137 @@
+--- arpwatch-2.1a11/arpwatch.8.orig 2004-06-26 20:02:46.000000000 +0200
++++ arpwatch-2.1a11/arpwatch.8 2004-06-26 20:02:52.000000000 +0200
+@@ -44,6 +44,10 @@
+ .B -r
+ .I file
+ ]
++] [
++.B -u
++.I username
++]
+ .ad
+ .SH DESCRIPTION
+ .B Arpwatch
+@@ -94,10 +98,26 @@
+ .B arpwatch
+ does not fork.
+ .LP
++If the
++.B -u
++flag is used,
++.B arpwatch
++drops root privileges and changes user ID to
++.I username
++and group ID to that of the primary group of
++.IR username .
++This is recommended for security reasons.
++.LP
+ Note that an empty
+ .I arp.dat
+ file must be created before the first time you run
+ .BR arpwatch .
++Also, the default directory (where arp.dat is stored) must be owned
++by
++.I username
++if
++.BR -u
++flag is used.
+ .LP
+ .SH "REPORT MESSAGES"
+ Here's a quick list of the report messages generated by
+--- arpwatch-2.1a11/arpwatch.c.orig 2004-06-26 20:10:30.000000000 +0200
++++ arpwatch-2.1a11/arpwatch.c 2004-06-26 20:10:44.000000000 +0200
+@@ -62,7 +62,8 @@
+ #include <string.h>
+ #include <syslog.h>
+ #include <unistd.h>
+-
++#include <pwd.h>
++#include <grp.h>
+ #include <pcap.h>
+
+ #include "gnuc.h"
+@@ -142,6 +143,24 @@
+ int sanity_fddi(struct fddi_header *, struct ether_arp *, int);
+ __dead void usage(void) __attribute__((volatile));
+
++void dropprivileges(const char* user)
++{
++ struct passwd* pw;
++ pw = getpwnam( user );
++ if ( pw ) {
++ if ( initgroups(pw->pw_name, NULL) != 0 || setgid(pw->pw_gid) != 0 ||
++ setuid(pw->pw_uid) != 0 ) {
++ syslog(LOG_ERR, "Couldn't change to '%.32s' uid=%d gid=%d", user,pw->pw_uid, pw->pw_gid);
++ exit(1);
++ }
++ }
++ else {
++ syslog(LOG_ERR, "Couldn't find user '%.32s' in /etc/passwd", user);
++ exit(1);
++ }
++ syslog(LOG_DEBUG, "Running as uid=%d gid=%d", getuid(), getgid());
++}
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -154,6 +173,7 @@
+ register char *interface, *rfilename;
+ struct bpf_program code;
+ char errbuf[PCAP_ERRBUF_SIZE];
++ char* serveruser = NULL;
+ char options[] =
+ "a"
+ "d"
+@@ -165,6 +185,7 @@
+ "p"
+ "r:"
+ "s:"
++ "u:"
+ ;
+
+ if (argv[0] == NULL)
+@@ -230,7 +251,15 @@
+ case 's':
+ path_sendmail = optarg;
+ break;
+-
++ case 'u':
++ if ( optarg ) {
++ serveruser = strdup(optarg);
++ }
++ else {
++ fprintf(stderr, "%s: Need username after -u\n", prog);
++ usage();
++ }
++ break;
+ default:
+ usage();
+ }
+@@ -308,12 +337,16 @@
+ #endif
+ }
+
++ if ( serveruser ) {
++ dropprivileges( serveruser );
++ } else {
+ /*
+ * Revert to non-privileged user after opening sockets
+ * (not needed on most systems).
+ */
+- setgid(getgid());
+- setuid(getuid());
++ setgid(getgid());
++ setuid(getuid());
++ }
+
+ /* Must be ethernet or fddi */
+ linktype = pcap_datalink(pd);
+@@ -787,6 +820,7 @@
+ "[-n net[/width]] "
+ "[-r file]\n\t"
+ "[-s sendmail_path] "
++ "[-u username] "
+ "\n"
+ ;
+
diff -Nru arpwatch-2.1a11.old/debian/patches/025_arpdat arpwatch-2.1a11/debian/patches/025_arpdat
--- arpwatch-2.1a11.old/debian/patches/025_arpdat 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/patches/025_arpdat 2004-06-26 19:53:18.000000000 +0200
@@ -0,0 +1,15 @@
+--- arpwatch-2.1a11/arpwatch.8.orig 2004-06-26 19:09:50.000000000 +0200
++++ arpwatch-2.1a11/arpwatch.8 2004-06-26 19:52:47.000000000 +0200
+@@ -64,7 +64,11 @@
+ .B -f
+ flag is used to set the ethernet/ip address database filename.
+ The default is
+-.IR arp.dat .
++.IR arp.dat
++in the current working directory.
++(Debian specific) The default location for this file for the daemon,
++if not specified will be
++.IR /var/lib/arpwatch/arp.dat .
+ .LP
+ The
+ .B -i
diff -Nru arpwatch-2.1a11.old/debian/patches/026_arp2ethers2 arpwatch-2.1a11/debian/patches/026_arp2ethers2
--- arpwatch-2.1a11.old/debian/patches/026_arp2ethers2 1970-01-01 01:00:00.000000000 +0100
+++ arpwatch-2.1a11/debian/patches/026_arp2ethers2 2004-06-26 20:44:54.000000000 +0200
@@ -0,0 +1,55 @@
+--- arpwatch-2.1a11/arp2ethers.orig 2004-06-26 20:39:42.000000000 +0200
++++ arpwatch-2.1a11/arp2ethers 2004-06-26 20:41:45.000000000 +0200
+@@ -17,8 +17,18 @@
+ #
+ # 2000-03-21 Erik Warmelink <erik@selwerd.nl>
+ # Use next instead of continue in included p.awk.
++#
++# 2004-06-26 Javier Fernandez-Sanguino <jfs@debian.org>
++# Use a default file or the one provided in the command line
++
++FILE=/var/lib/arpwatch/arp.dat
++[ -n "$1" ] && FILE=$1
++[ -r "$FILE" ] && {
++ echo "Cannot read file $FILE"
++ exit 1
++}
+
+-sort +2rn arp.dat | \
++sort +2rn $FILE | \
+ awk 'NF == 4 { print }' | \
+ # 1999-04-12 KELEMEN Peter <fuji@debian.org>
+ # awk -f p.awk | \
+--- arpwatch-2.1a11/arp2ethers.8.orig 2004-06-26 20:39:48.000000000 +0200
++++ arpwatch-2.1a11/arp2ethers.8 2004-06-26 20:43:39.000000000 +0200
+@@ -4,12 +4,16 @@
+ .SH SYNOPSIS
+ .na
+ .B arp2ethers
++[
++.B arp.dat file
++]
+ .ad
+ .SH "DESCRIPTION"
+ .B arp2ethers
+-converts a file named
+-.IR arp.dat
+-in the current working directory into
++converts the file
++.IR /var/lib/arpwatch/arp.dat
++(or the file specified in the command line)
++into
+ .BR ethers(5)
+ format on
+ .IR stdout .
+@@ -17,6 +21,10 @@
+ .IR arp.dat
+ is an ethernet/ip database file generated by
+ .BR arpwatch(8) .
++The Debian daemon will create different
++.IR arp.dat
++depending on its configuration. All of them will be available at
++.IR /var/lib/arpwatch/ .
+ .SH FILES
+ .na
+ .nh
Attachment:
signature.asc
Description: Digital signature