argus-2.0.5.beta.6.tar.gz available

Yotam Rubin yotam at makif.omer.k12.il
Wed Mar 20 08:35:02 EST 2002 

On Tue, Mar 19, 2002 at 09:44:29PM -0500, Carter Bullard wrote:
> Hey Yotam,
> None-the-less, I think it is a good discussion.
> 
> I've uploaded ftp://qosient.com/dev/argus-2.0/argus-2.0.5.beta.6.tar.gz
> which implements your pid file suggestions, to allow argus
> to specify a specific pid file.  In support of this feature,
> we now have new argus.conf variables, ARGUS_PID_FILENAME and
> ARGUS_MAX_INSTANCES, and we've now got "-I <number>",
> "-c" and "-n pidfile" options to play with.  The
> support/Config/argus.conf and the various man pages
> have been updated, so I hope your suggestion has been
> fully implemented.
>  
> They all seem to work, as much as I have had time to
> test.

Thanks. There are still a few issues.

 o The updated manual page appears to incorrectly document the behavior of 
   the -n flag.
 o Some files in the tarball are chmoded 775.
 o Perhaps it should be documented chdir's to / upon initialization.
   Users specifying relative pid file paths and the like might be confused
   by the results.

	Regards, Yotam Rubin
  

> 
> Please do give this new version of argus a spin.  There
> are some fixes for Cisco V5 netflow record parsing, and
> a few rare seg faulting conditions fixed, so please do
> test.
> 
> Thanks for all the support,
> 
> Carter
> 
> Carter Bullard
> QoSient, LLC
> 300 E. 56th Street, Suite 18K
> New York, New York  10022
> 
> carter at qosient.com
> Phone +1 212 588-9133
> Fax   +1 212 588-9134
> http://qosient.com
> 
> 
> > -----Original Message-----
> > From: owner-argus-info at lists.andrew.cmu.edu 
> > [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> > Yotam Rubin
> > Sent: Tuesday, March 19, 2002 8:52 PM
> > To: 'Argus'
> > Subject: Re: pid file issues
> > 
> > 
> > On Tue, Mar 19, 2002 at 12:48:52PM -0500, Carter Bullard wrote:
> > [...]
> > > 
> > >    If we allow argus to specify the pid file directory,
> > > we can prevent bad pid filename choices, if we support
> > > pid filenames, then we can't prevent anything, which is
> > > ok at one level, and somewhat irresponsible on the other?
> > 
> > The situation still remains, if a malicious user has 
> > sufficient access[1]
> > to create an arbitrary PID file, why would he need argus to 
> > create the pid
> > file for him? I mean, why can't he simply "echo somepid > 
> > /var/run/identd.run"?
> > argus should run under the assumption that it trusts its 
> > users. This sort
> > of attack can only be carried out by a user with relevant access.
> > I will not reiterate my claims further, because I believe 
> > I've made myself
> > pretty clear.
> > 
> > 	Regards, Yotam Rubin
> > 
> > 
> > [1] Of course, argus can be setuid root, but then the admin 
> > has an entirely
> >     different set of problems.
> > 
> > > 
> > >    Suggestions?
> > > 
> > > 
> > > Carter
> > > 
> > > Carter Bullard
> > > QoSient, LLC
> > > 300 E. 56th Street, Suite 18K
> > > New York, New York  10022
> > > 
> > > carter at qosient.com
> > > Phone +1 212 588-9133
> > > Fax   +1 212 588-9134
> > > http://qosient.com
> > > 
> > 
> > 
> 
>

More information about the argus mailing list