On Wed, Mar 06, 2002 at 06:53:31PM +0100, Rogier Wolff wrote: > The mtr distribution doesn't install mtr setuid. Now, I must confess that > I do it myself too. But I know the risks I'm taking (none: All people who > have access to the setuid binary also have the root password). Of course, this doesn't entirely eliminate the risk of installing mtr setuid. It is not an uncommon situation for an attacker to gain access to the account of one of these trusted users without gaining immediate access to their knowledge (the root password). Have you considered moving the raw socket functionality to a small, auditable, setuid helper program? mtr itself could communicate with the helper via a simple protocol over a pipe, and that would avoid the problem of security bugs in the UI libraries. If the helper only allows the minimum functionality necessary for mtr to work (send/receive ICMP ECHO_REQUEST/ECHO_RESPONSE with a local source address?), you could successfully restrict the damage that could be done if the communication channel were compromised. -- - mdz
