Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Bug#484498: honeyd: fails to open logfile due to permissions

103 views

Skip to first unread message

Nick Manser

unread,

Jun 4, 2008, 8:30:26 AM6/4/08

Package: honeyd
Version: 1.5b-1
Severity: important

The initialisation script for honeyd (/etc/init.d/honeyd) specifies the
uid and gid of the honeyd user to use when running the daemon. Examining
the /var/log/syslog file shows that the process is demoted to run as the
nobody user which subsequently causes the logfile at
/var/log/honeypot/honeyd.log to become inaccessible:

Jun 4 20:55:21 phobos honeyd[2418]: Demoting process privileges to uid
65534, guid 65534
Jun 4 20:55:21 probos honeyd[2418]: honeyd_logstart:
fopen("/var/log/honeypot/honeyd.log"): Permission denied

A quick-fix is to make the /var/log/honeypot worldwide accessible using
chmod command; however, this seems to violate the security of the honeyd
installation. The logfile and honeypot/ directory should be accessible
by the honeyd user, and the daemon should run as the honeyd user rather
than being demoted to nobody.

-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages honeyd depends on:
ii adduser 3.102 Add and remove users and groups
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii libdnsres0 0.1a-4 Non-blocking and thread-safe DNS r
ii libdumbnet1 1.8-1.4 A dumb, portable networking librar
ii libevent1 1.1a-1 An asynchronous event notification
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libpcap0.8 0.9.5-1 System interface for user-level pa
ii libpcre3 6.7+7.4-3 Perl 5 Compatible Regular Expressi
ii libreadline5 5.2-2 GNU readline and history libraries
ii zlib1g 1:1.2.3-13 compression library - runtime

Versions of packages honeyd recommends:
ii farpd 0.2-8 Fake ARP user space daemon
ii honeyd-common 1.5b-1 Honeyd's honeypot documentation an
ii rrdtool 1.2.15-0.3 Time-series data storage and displ

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Javier Fernández-Sanguino Peña

unread,

Nov 23, 2008, 9:30:11 AM11/23/08

On Wed, Jun 04, 2008 at 09:32:51PM +0930, Nick Manser wrote:
> A quick-fix is to make the /var/log/honeypot worldwide accessible using
> chmod command; however, this seems to violate the security of the honeyd
> installation. The logfile and honeypot/ directory should be accessible
> by the honeyd user, and the daemon should run as the honeyd user rather
> than being demoted to nobody.

The problem here is that even upstream introduced a '-u' and '-g' flags these
get overwritten by the call to honeyd_init() which rewrites honeyd_uid and
honeyd_gid *after* the flags have been interpreted:

honeyd_init(void)
{
(...)
/* Find the correct ids for nobody */
if ((pwd = getpwnam("nobody")) != NULL) {
honeyd_uid = pwd->pw_uid;
honeyd_gid = pwd->pw_gid;
}
(...)

I'm going to introduce a workaround in that function so that it only
overwrites those values if the uid/gid corresponde to the ones set in the
header definition:

uid_t honeyd_uid = 32767;
gid_t honeyd_gid = 32767;

Expect a new package in unstable soon fixing this issue.

Regards

Javier

signature.asc

0 new messages