The patch.

Carter Bullard carter at qosient.com
Tue Mar 19 19:23:05 EST 2002


Hey Russell,
The issue is should a program be able to specify any
pid filename as its pid file, thus the opportunity for
abuse, or should a pid file always be "program_name.pid"
but you can specify its directory.

No apparent possibility for buffer overflow in argus,
and I will am not inclined to have argus call any
dynamic programs other than hostname().

What user would make since for argus to become, "nobody"?

No LIDS experience on my end.  It may be an interesting
addition to what they are trying to do.

Hope all is well, how is your presentation going?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com


> -----Original Message-----
> From: Russell Fulton [mailto:R.FULTON at auckland.ac.nz] 
> Sent: Tuesday, March 19, 2002 4:17 PM
> To: carter at qosient.com
> Cc: 'Yotam Rubin'; 'Argus'
> Subject: RE: The patch.
> 
> 
> Hmmm... I must be missing something here.  Surely the issue 
> of abuse of
> pid files is only a problem if argus is suid root.  Yes, 
> people must be
> aware that argus config files must be protected, but that goes for any
> other daemon that runs as root.  In one sense this isn't too much of a
> problem with argus since I suspect that the vast majority of argus
> daemons run on more or less dedicated systems (not that that is an
> excuse not to do thing right).
> 
> On a vaguely related note, does argus need to retain root privildges
> once it has the intreface open in promiscuous mode (and has 
> written pid
> in /var/run ;-).  I would actually prefer to have the files written by
> -w owned by something other than root and, in the unlikely event that
> there is a bug that would enable a carefully crafted packet to cause a
> buffer overflow *and* the buffer overflow lead to the ability 
> to execute
> code, then it would be nice to make the kiddies work to get root.
> 
> We are starting to look seriously at LIDS and I notice that it
> implenents some forms of capabilities (including the ability to put an
> interface into promiscouous mode ?) -- has anyone had a go at 
> setting up
> argus under LIDS?.
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
> 



More information about the argus mailing list