Package: tcpspy
Version: 1.7d-4
Severity: wishlist
Tags: patch

Tcpspy is clearly intended to be a long living daemon.
As such it is reacting on an alarmingly large number
of signals. One could also argue that it would benefit
slightly from a stricter handling of file descriptors,
more in line with security measures for other daemons.
I contribute one mode of implementing these changes.

Best regards,
  Mats Erik Andersson, DM
Description: Improve security in daemonised execution.
 Ignore signals irrelevant to a long living daemon
 which was crafted with orderly shutdown.
 .
 Replace standard file descriptors with a tie to "/dev/null".
 .
 Yield controlling terminal properly by seting session ID.
Author: Mats Erik Andersson <[email protected]>
Forwarded: no
Last-Update: 2011-03-08

--- tcpspy-1.7d.debian/tcpspy.c	2002-01-25 02:01:02.000000000 +0100
+++ tcpspy-1.7d/tcpspy.c	2011-03-08 20:56:37.000000000 +0100
@@ -53,7 +53,10 @@
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#include <sys/stat.h>	/* umask() */
+#include <fcntl.h>	/* open /dev/null */
 #include <unistd.h>
+#include <paths.h>	/* _PATH_DEVNULL */
 
 #include "log.h"
 #include "rcsid.h"
@@ -607,7 +610,16 @@
 
 	if (debug == 0) {
 		pid_t p;
+		int nullfd;
 
+		/* Hinder early disturbance generated by terminal. */
+		signal (SIGHUP,  SIG_IGN);
+		signal (SIGINT,  SIG_IGN);
+		signal (SIGQUIT, SIG_IGN);
+		signal (SIGTSTP, SIG_IGN);
+		signal (SIGUSR1, SIG_IGN);
+		signal (SIGUSR2, SIG_IGN);
+ 
 		/* 1st fork */
 		p = fork();
 		if (p < 0) {
@@ -617,6 +629,13 @@
 		} else if (p != 0)
 			exit (0);
 
+		/* Give up controlling terminal */
+		if (setsid () < 0) {
+			fprintf (stderr, "tcpspy: setsid: %s\n",
+					strerror (errno));
+			exit (EXIT_FAILURE);
+		}
+
 		/* 2nd fork */
 		p = fork();
 		if (p < 0) {
@@ -630,11 +649,22 @@
 		}
 
 		ioctl (STDIN_FILENO, TIOCNOTTY, NULL);
-		close (STDIN_FILENO); 
-		close (STDOUT_FILENO); 
-		close (STDERR_FILENO);
+
+		nullfd = open (_PATH_DEVNULL, O_RDWR, 0);
+		if (nullfd < 0) {
+			fprintf (stderr, "tcpspy: cannot open %s\n",
+					_PATH_DEVNULL);
+			exit (EXIT_FAILURE);
+		}
+
+		dup2 (nullfd, STDIN_FILENO);
+		dup2 (nullfd, STDOUT_FILENO);
+		dup2 (nullfd, STDERR_FILENO);
+		close (nullfd);
+
 		setpgid (0, 0);
 		chdir ("/");
+		umask (0);
 	} else
 		fprintf (stderr, "tcpspy 1.7d started (debug)\n");
 

Attachment: signature.asc
Description: Digital signature

Reply via email to