* [gentoo-commits] gentoo-x86 commit in net-analyzer/ippl/files: ippl-1.4.14-privilege-drop.patch ippl-1.4.14-noportresolve.patch ippl-1.4.14-manpage.patch
@ 2008-06-05 13:12 Peter Volkov (pva)
0 siblings, 0 replies; only message in thread
From: Peter Volkov (pva) @ 2008-06-05 13:12 UTC (permalink / raw
To: gentoo-commits
pva 08/06/05 13:12:15
Added: ippl-1.4.14-privilege-drop.patch
ippl-1.4.14-noportresolve.patch
ippl-1.4.14-manpage.patch
Log:
Added debian patches, should fix kernel 2.6.24 compatibility problem, bug #213284, thank svrmarty for report.
(Portage version: 2.1.4.4)
Revision Changes Path
1.1 net-analyzer/ippl/files/ippl-1.4.14-privilege-drop.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-privilege-drop.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-privilege-drop.patch?rev=1.1&content-type=text/plain
Index: ippl-1.4.14-privilege-drop.patch
===================================================================
privilege-drop by Marc Haber <mh+debian-packages@zugschlus.de>
--- trunk~/Source/icmp.c 2001-09-28 20:47:58.000000000 +0200
+++ trunk/Source/icmp.c 2007-05-20 12:05:24.000000000 +0200
@@ -39,6 +39,8 @@
#include "log.h"
#include "filter.h"
#include "configuration.h"
+#include <string.h>
+#include <errno.h>
/* Socket */
int icmp_socket;
@@ -296,14 +298,16 @@
icmp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
if (icmp_socket <= 0) {
- log.log(log.level_or_fd, "FATAL: Unable to open icmp raw socket");
+ int error = errno;
+ log.log(log.level_or_fd, "FATAL: Unable to open icmp raw socket\nERROR No: %d\nERROR : %s", error, strerror(error));
exit(1);
}
- setgid(((struct passwd *)nobody)->pw_gid);
+ /* Don't do this here - race conditions will arise */
+ /* setgid(((struct passwd *)nobody)->pw_gid);
initgroups(((struct passwd *)nobody)->pw_name,
((struct passwd *)nobody)->pw_gid);
- setuid(((struct passwd *)nobody)->pw_uid);
+ setuid(((struct passwd *)nobody)->pw_uid); */
for(;;) {
if (read(icmp_socket, (__u8 *) &pkt, ICMP_CAPTURE_LENGTH) == -1) {
--- trunk~/Source/main.c 2000-04-21 21:37:49.000000000 +0200
+++ trunk/Source/main.c 2007-05-20 12:05:24.000000000 +0200
@@ -153,6 +153,17 @@
run_thread(&udp_t, log_udp, (void *)account);
}
+ /* Sleep 1 sec to allow the other threads to catchup */
+ /* Not the best way to solve the issue but it works */
+ sleep(1);
+
+ /* Drop privileges */
+
+ setgid(((struct passwd *)account)->pw_gid);
+ initgroups(((struct passwd *)account)->pw_name,
+ ((struct passwd *)account)->pw_gid);
+ setuid(((struct passwd *)account)->pw_uid);
+
}
@@ -160,8 +171,10 @@
* reload_configuration
*
* Stops the threads and reloads the configuration
+ *
+ * -- DEPRECATED (due to privilege drop cannot reload - needs a restart!)
*/
-void reload_configuration() {
+void reload_configuration_DEPRECATED() {
extern pthread_mutex_t log_mutex, service_mutex, dns_mutex, r_mux, w_mux;
extern pthread_cond_t w_cond;
extern int readers;
@@ -353,8 +366,10 @@
* Function executed when we receive a SIHUP signal
*/
void sighup(int sig) {
- reload_configuration();
- log.log(log.level_or_fd, "IP Protocols Logger: reloaded configuration.");
+ // DEPRECATED - reload_configuration();
+ // log.log(log.level_or_fd, "IP Protocols Logger: reloaded configuration.");
+ log.log(log.level_or_fd, "IP Protocols Logger: reload configuration is unsupported.");
+ die(sig);
signal(SIGHUP, sighup);
}
--- trunk~/Source/tcp.c 2001-09-29 15:27:01.000000000 +0200
+++ trunk/Source/tcp.c 2007-05-20 12:05:24.000000000 +0200
@@ -44,6 +44,8 @@
#include "filter.h"
#include "configuration.h"
#include "ident.h"
+#include <errno.h>
+#include <string.h>
/* Socket */
int tcp_socket;
@@ -258,14 +260,16 @@
tcp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
if (tcp_socket <= 0) {
- log.log(log.level_or_fd, "FATAL: Unable to open tcp raw socket");
+ int error = errno;
+ log.log(log.level_or_fd, "FATAL: Unable to open tcp raw socket\nERROR No: %d\nERROR : %s", error, strerror(error));
exit(1);
}
- setgid(((struct passwd *)nobody)->pw_gid);
+ /* Don't do this here - race conditions will arise */
+ /* setgid(((struct passwd *)nobody)->pw_gid);
initgroups(((struct passwd *)nobody)->pw_name,
((struct passwd *)nobody)->pw_gid);
- setuid(((struct passwd *)nobody)->pw_uid);
+ setuid(((struct passwd *)nobody)->pw_uid); */
for(;;) {
if (read(tcp_socket, (__u8 *) &pkt, TCP_CAPTURE_LENGTH) == -1) {
--- trunk~/Source/udp.c 2001-09-28 20:47:35.000000000 +0200
+++ trunk/Source/udp.c 2007-05-20 12:05:24.000000000 +0200
@@ -39,6 +39,8 @@
#include "filter.h"
#include "configuration.h"
#include "ident.h"
+#include <errno.h>
+#include <string.h>
/* Socket */
int udp_socket;
@@ -138,14 +140,16 @@
udp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
if (udp_socket <= 0) {
- log.log(log.level_or_fd, "FATAL: Unable to open udp raw socket");
+ int error = errno;
+ log.log(log.level_or_fd, "FATAL: Unable to open udp raw socket\nERROR No: %d\nERROR : %s", error, strerror(error));
exit(1);
}
- setgid(((struct passwd *)nobody)->pw_gid);
+ /* Don't do this here - race conditions will arise */
+ /* setgid(((struct passwd *)nobody)->pw_gid);
initgroups(((struct passwd *)nobody)->pw_name,
((struct passwd *)nobody)->pw_gid);
- setuid(((struct passwd *)nobody)->pw_uid);
+ setuid(((struct passwd *)nobody)->pw_uid); */
for(;;) {
if (read(udp_socket, (__u8 *) &pkt, UDP_CAPTURE_LENGTH) == -1) {
1.1 net-analyzer/ippl/files/ippl-1.4.14-noportresolve.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-noportresolve.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-noportresolve.patch?rev=1.1&content-type=text/plain
Index: ippl-1.4.14-noportresolve.patch
===================================================================
patch by Marc Haber <mh+debian-packages@zugschlus.de>
--- Docs/ippl.conf.man 2008-06-05 12:39:24 +0000
+++ Docs/ippl.conf.man 2008-06-05 12:46:02 +0000
@@ -92,6 +92,13 @@
.PP
By default, IP address resolution is disabled for all the protocols.
+Ippl by default resolves tcp/udp port numbers to their respective
+service names. If you pass a protocol to the noportresolve option,
+ippl logs the port number instead. This is a Debian specific extension.
+
+By default service resolving is enabled, since this is the behaviour
+of the upstream program.
+
.SH LOGGING FORMAT
.BR ippl
@@ -198,6 +205,12 @@
.I noresolve
disable IP address resolution.
.PP
+.I portresolve
+enable IP service resolution.
+.PP
+.I noportresolve
+disable IP service resolution.
+.PP
.I ident
use ident logging (only for TCP).
.PP
--- Source/configuration.c 2008-06-05 12:39:24 +0000
+++ Source/configuration.c 2008-06-05 12:46:02 +0000
@@ -60,6 +60,7 @@
extern unsigned int dns_expire;
extern unsigned short log_protocols;
extern unsigned short resolve_protocols;
+ extern unsigned short portresolve_protocols;
extern unsigned short icmp_format;
extern unsigned short tcp_format;
extern unsigned short udp_format;
@@ -71,6 +72,7 @@
dns_expire = DNS_EXPIRE;
log_protocols = NONE;
resolve_protocols = 0; /* Do not resolve by default */
+ portresolve_protocols = RUN_TCP | RUN_UDP | RUN_ICMP; /* Resolve by default */
icmp_format = LOGFORMAT_NORMAL;
tcp_format = LOGFORMAT_NORMAL;
udp_format = LOGFORMAT_NORMAL;
--- Source/filter.c 2008-06-05 12:39:24 +0000
+++ Source/filter.c 2008-06-05 12:46:02 +0000
@@ -46,6 +46,7 @@
extern unsigned short use_ident;
extern unsigned short resolve_protocols;
+extern unsigned short portresolve_protocols;
extern unsigned short icmp_format;
extern unsigned short tcp_format;
extern unsigned short udp_format;
@@ -66,7 +67,7 @@
#ifdef FILTER_DEBUG
void display_info(struct log_info *info, int entries) {
- log.log(log.level_or_fd, "DBG: (e:%d) log:%d ident:%d resolve:%d closing:%d format:%d", entries, info->log, info->ident, info->resolve, info->logclosing, info->logformat);
+ log.log(log.level_or_fd, "DBG: (e:%d) log:%d ident:%d resolve:%d portresolve: %d, closing:%d format:%d", entries, info->log, info->ident, info->resolve, info->portresolve, info->logclosing, info->logformat);
}
#endif
@@ -200,6 +201,19 @@
break;
}
}
+ if (info->portresolve == -1) {
+ switch (protocol) {
+ case IPPROTO_ICMP:
+ info->portresolve = portresolve_protocols & RUN_ICMP;
+ break;
+ case IPPROTO_TCP:
+ info->portresolve = portresolve_protocols & RUN_TCP;
+ break;
+ case IPPROTO_UDP:
+ info->portresolve = portresolve_protocols & RUN_UDP;
+ break;
+ }
+ }
}
struct log_info do_log(const __u32 from, const __u32 to, const __u16 type, const __u16 srctype, const short protocol) {
@@ -244,6 +258,7 @@
info.log = p->log;
info.ident = p->ident;
info.resolve = p->resolve;
+ info.portresolve = p->portresolve;
info.logformat = p->logformat;
info.logclosing = p->logclosing;
set_defaults(protocol, &info);
@@ -265,6 +280,7 @@
info.log = p->log;
info.ident = p->ident;
info.resolve = p->resolve;
+ info.portresolve = p->portresolve;
info.logformat = p->logformat;
set_defaults(protocol, &info);
#ifdef FILTER_DEBUG
@@ -280,7 +296,7 @@
info.log = TRUE;
info.ident = use_ident;
info.logclosing = log_closing;
- info.logformat = info.resolve = -1;
+ info.logformat = info.resolve = info.portresolve = -1;
set_defaults(protocol, &info);
#ifdef FILTER_DEBUG
--- Source/filter.h 2008-06-05 12:39:24 +0000
+++ Source/filter.h 2008-06-05 12:46:02 +0000
@@ -53,6 +53,7 @@
struct filter_entry {
short log; /* TRUE for "log", FALSE for "ignore" */
short ident; /* TRUE if we should use ident */
+ short portresolve; /* TRUE if we should resolve TCP/UDP services */
short resolve; /* TRUE if we should resolve IP addresses */
short logformat; /* format used to log */
short logclosing; /* TRUE to log closing TCP connections */
@@ -72,6 +73,7 @@
short log;
short ident;
short resolve;
+ short portresolve;
short logclosing;
short logformat;
};
--- Source/ippl.l 2008-06-05 12:39:24 +0000
+++ Source/ippl.l 2008-06-05 12:46:02 +0000
@@ -75,6 +75,9 @@
[lL][oO][gG][cC][lL][oO][sS][iI][nN][gG] return LOGCLOSING;
[nN][oO][lL][oO][gG][cC][lL][oO][sS][iI][nN][gG] return NOLOGCLOSING;
+[nN][oO][pP][oO][rR][tT][rR][eE][sS][oO][lL][vV][eE] return NOPORTRESOLVE;
+[pP][oO][rR][tT][rR][eE][sS][oO][lL][vV][eE] return PORTRESOLVE;
+
[nN][oO][rR][eE][sS][oO][lL][vV][eE] return NORESOLVE;
[rR][eE][sS][oO][lL][vV][eE] return RESOLVE;
--- Source/ippl.y 2008-06-05 12:39:24 +0000
+++ Source/ippl.y 2008-06-05 12:46:02 +0000
@@ -61,6 +61,7 @@
/* Should name resolving be done? */
unsigned short resolve_protocols;
+unsigned short portresolve_protocols;
/* Logging format for each protocol */
unsigned short icmp_format;
@@ -100,7 +101,7 @@
%token<stringval> IP HOSTMASK IDENTIFIER FILENAME
%token<longval> NUMBER
-%token LOGFORMAT DETAILED SHORT NORMAL RESOLVE NORESOLVE IDENT NOIDENT LOGCLOSING NOLOGCLOSING
+%token LOGFORMAT DETAILED SHORT NORMAL RESOLVE NORESOLVE IDENT NOIDENT LOGCLOSING NOLOGCLOSING PORTRESOLVE NOPORTRESOLVE
%token RUN RUNAS EXPIRE LOG_IN LOG IGNORE FROM TO TYPE PORT SRCPORT OPTION COMMA
%token ICMP TCP UDP ALL
@@ -138,6 +139,11 @@
| NORESOLVE ProtoList EOL
{ resolve_protocols &= ~$2; }
+ | PORTRESOLVE ProtoList EOL
+ { portresolve_protocols |= $2; }
+ | NOPORTRESOLVE ProtoList EOL
+ { portresolve_protocols &= ~$2; }
+
| LOGCLOSING EOL
{ log_closing = TRUE; }
| NOLOGCLOSING EOL
@@ -249,6 +255,7 @@
switches.log = -1;
switches.ident = use_ident;
switches.resolve = -1;
+ switches.portresolve = -1;
switches.logformat = -1;
switches.logclosing = log_closing;
}
@@ -259,6 +266,7 @@
$$->ident = switches.ident;
$$->logclosing = switches.logclosing;
$$->resolve = switches.resolve;
+ $$->portresolve = switches.portresolve;
$$->logformat = switches.logformat;
$$->protocol = $4.protocol;
$$->loginfo = $4.loginfoval;
@@ -287,6 +295,8 @@
| NOIDENT { switches.ident = FALSE; }
| RESOLVE { switches.resolve = RUN_ICMP | RUN_TCP | RUN_UDP; }
| NORESOLVE { switches.resolve = 0; }
+ | PORTRESOLVE { switches.portresolve = RUN_ICMP | RUN_TCP | RUN_UDP; }
+ | NOPORTRESOLVE { switches.portresolve = 0; }
| SHORT { switches.logformat = LOGFORMAT_SHORT; }
| NORMAL { switches.logformat = LOGFORMAT_NORMAL; }
| DETAILED { switches.logformat = LOGFORMAT_DETAILED; }
--- Source/main.c 2008-06-05 12:39:24 +0000
+++ Source/main.c 2008-06-05 12:46:02 +0000
@@ -48,6 +48,10 @@
#include "filter.h"
#include "pidfile.h"
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
/* Logging mechanism */
struct loginfo log;
--- Source/netutils.c 2008-06-05 12:39:24 +0000
+++ Source/netutils.c 2008-06-05 12:46:02 +0000
@@ -237,15 +237,21 @@
* Get a service name for a specified protocol
*/
-void service_lookup(char *proto, char *service, __u16 port) {
+void service_lookup(char *proto, char *service, __u16 port, int portresolve) {
struct servent *se;
pthread_mutex_lock(&service_mutex);
- se = getservbyport(port, proto);
- if (se == NULL)
+ if (portresolve)
+ {
+ se = getservbyport(port, proto);
+ if (se == NULL)
+ snprintf(service, SERVICE_LENGTH, "port %d", ntohs(port));
+ else {
+ snprintf(service, SERVICE_LENGTH, "%s", se->s_name);
+ }
+ }
+ else {
snprintf(service, SERVICE_LENGTH, "port %d", ntohs(port));
- else {
- snprintf(service, SERVICE_LENGTH, "%s", se->s_name);
}
pthread_mutex_unlock(&service_mutex);
}
--- Source/netutils.h 2008-06-05 12:39:24 +0000
+++ Source/netutils.h 2008-06-05 12:46:02 +0000
@@ -53,6 +53,6 @@
const __u32 src_addr, const __u16 src_port,
const __u32 dst_addr, const __u16 dst_port);
-void service_lookup(char *proto, char *service, __u16 port);
+void service_lookup(char *proto, char *service, __u16 port, int portresolve);
#endif
--- Source/tcp.c 2008-06-05 12:39:24 +0000
+++ Source/tcp.c 2008-06-05 12:46:02 +0000
@@ -51,6 +51,7 @@
struct loginfo tcp_log;
extern struct loginfo log;
extern unsigned short resolve_protocols;
+extern unsigned short portresolve_protocols;
/*
* Structure of a TCP packet
@@ -88,7 +89,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("tcp", service, TCPHDR.dest);
+ service_lookup("tcp", service, TCPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
@@ -186,7 +187,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("tcp", service, TCPHDR.dest);
+ service_lookup("tcp", service, TCPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
--- Source/udp.c 2008-06-05 12:39:24 +0000
+++ Source/udp.c 2008-06-05 12:46:02 +0000
@@ -81,7 +81,7 @@
*details ='\0';
host_print(remote_host, IPHDR.saddr,
info.resolve);
- service_lookup("udp", service, UDPHDR.dest);
+ service_lookup("udp", service, UDPHDR.dest, info.portresolve);
if (info.logformat == LOGFORMAT_DETAILED) {
get_details(details,
IPHDR.saddr,
--- ippl.conf 2008-06-05 12:39:24 +0000
+++ ippl.conf 2008-06-05 12:48:36 +0000
@@ -4,13 +4,15 @@
# User used
# ---------
# Specify the user (declared in /etc/passwd) used to run the
-# logging threads.
-#runas nobody
+# logging threads. The ippl process visible in the process table
+# is still running as root! Look in /proc/pid/task to see the threads
+# running as ippl
+runas ippl
# Resolve hostnames?
# ------------------
-# Uncomment the line below to disable DNS lookups
-#noresolve all
+# Uncomment the line below to enable DNS lookups
+#resolve all
# Use ident?
# ----------
@@ -38,9 +40,14 @@
# ----------------
run icmp tcp
# Uncomment the line below to log UDP traffic.
-# See ippl.conf(5) for recommandations.
+# See ippl.conf(5) for recommendations.
#run udp
+# Resolve tcp/udp port to service name?
+# -------------------------------------
+# portresolve icmp tcp udp
+# Set noportresolve <protocol-list> to log port numbers instead
+
# Logging format
# ----------------
# If you want to see the destination address, the ports, etc
@@ -63,6 +70,3 @@
# Do not log DNS queries
#ignore udp port domain
#ignore udp srcport domain
-
-# End of configuration
-# Copyright (C) 1998-1999 Hugo Haas - Etienne Bernard
1.1 net-analyzer/ippl/files/ippl-1.4.14-manpage.patch
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-manpage.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/ippl/files/ippl-1.4.14-manpage.patch?rev=1.1&content-type=text/plain
Index: ippl-1.4.14-manpage.patch
===================================================================
patch by Marc Haber <mh+debian-packages@zugschlus.de>
--- ./Docs/ippl.conf.man 2000-11-05 22:03:47.000000000 +0000
+++ /tmp/dpep-work.IyOfxu/trunk/Docs/ippl.conf.man 2005-03-19 20:53:38.340875122 +0000
@@ -222,9 +222,7 @@
.SS Protocol
.PP
protocol is one of the supported protocols (see the protocols
-section), except the
-.I all
-keyword, which is not supported.
+section).
.SS Description
.PP
--
gentoo-commits@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-06-05 13:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-05 13:12 [gentoo-commits] gentoo-x86 commit in net-analyzer/ippl/files: ippl-1.4.14-privilege-drop.patch ippl-1.4.14-noportresolve.patch ippl-1.4.14-manpage.patch Peter Volkov (pva)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox