|Summary:||traceroute/tracepath should not be suid root by default|
|Product:||Gentoo Security||Reporter:||Olivier Crete (RETIRED) <tester>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||blkdeath, boulder_flight_technician, brad, phil, taviso|
|Package list:||Runtime testing required:||---|
Description Olivier Crete (RETIRED) 2003-11-26 16:35:59 UTC
The following utilities are set-uid root by default, I believe they should not be and pose a useless security risk for a default install. And if they are not set-uid root, they should be move to /usr/sbin where they belong and where they are in every other distro that I've checked. net-analyzer/traceroute-1.4_p12-r1: /usr/bin/traceroute net-misc/iputils-020927: /usr/bin/tracepath /usr/bin/traceroute6 /usr/bin/tracepath6 net-analyzer/tcptraceroute-1.4-r2: /usr/bin/tcptraceroute
Comment 1 Tavis Ormandy (RETIRED) 2003-11-27 03:18:00 UTC
traceroute needs to be setuid root, it uses raw sockets. you're right about tracepath though, the man page specifically says this should not be setuid root.
Comment 2 Olivier Crete (RETIRED) 2003-11-27 03:33:59 UTC
I mean traceroute shouldnt be set-uid root and should be only usable by root by default.. Securityfocus has two exploits for traceroute and one for tcptraceroute.. And since tracepath exists, I still think they shouldnt be setuid by default and they should be installed in /usr/sbin like in every other distribution...
Comment 3 SpanKY 2003-11-29 15:29:22 UTC
traceroute-1.4_p12-r2 installs into /usr/sbin and is given 0755 as perms
Comment 4 SpanKY 2003-11-29 15:32:26 UTC
tcptraceroute-1.4-r3 no longer installs +s
Comment 5 Stewart (RETIRED) 2004-02-03 14:07:45 UTC
I posted to a mailing list on this subject previously, but wanted to contribute my $0.02CDN to this bug. Is it possible, instead of removing the setuid bit (therefore rendering traceroute usable only to root and those configured, and knowledgeable in sudo) to change the group to an administrative group and set 4750 perms so we don't have to jump through hoops to use this application? The setuid bit is a long-standing facet of traceroute, and it's been pointed out that various BSD's (Free among them) haven't found it neccesary to remove said bit.
Comment 6 solar (RETIRED) 2004-02-03 15:07:22 UTC
4710 root:wheel perhaps ?
Comment 7 SpanKY 2004-02-11 20:01:52 UTC
traceroute/tcptraceroute are now 4710 root:wheel
Comment 8 SpanKY 2004-02-14 14:27:09 UTC
*** Bug 41583 has been marked as a duplicate of this bug. ***
Comment 9 Toni DiBoulda 2004-02-14 14:34:06 UTC
Hello, traceroute is a standard util and users expect it working. After world update, it is executable for members of wheel group only. Are there any known issues to justify this really drastic change? All UNIX systems I saw make traceroute executable for all. If restricted to group, wheel group is by far the worst possible choice imaginable. (sorry cannot reopen)
Comment 10 Stewart (RETIRED) 2004-02-16 22:02:08 UTC
Traceroute is a utility riddled with past and present vulnerabilities, and as a setuid util, it isn't considered safe to be accessable by all users. The wheel group was chosen, albeit somewhat arbitrarily, to abate the issue and reduce exposure to harm for a system. One other proposed solution that I'd still like to see implemented in the near future is a group such as "sockets" that would allow its users to have direct socket access. Utilities such as traceroute, ping, netcat(?), tcpdump, et al. could be placed in such a group to permit finer-grained access control. One detraction of using the wheel group, as pointed out elsewhere (#gentoo-dev, IIRC) is the fact that 'su' is typically wheel-restricted, therefore allowing anybody with traceroute access the abililty to utilize su capabilities.
Comment 11 Toni DiBoulda 2004-02-16 23:53:19 UTC
We are talking about traceroute in general or version gentoo is using? If it is considered so dangerous (by who??), shouldn't there be a security anouncement and the author be notified? Where is the article? Because, all linux distributions we use here have same version and suid bit set: debian (woody) 1.4a12-9 /usr/bin, 4755 debian (sarge) (-13 = latest ver avail from debian) 1.4a12-13 /usr/bin, 4755 mandrake (dolphin) 1.4a12-3mdk /usr/sbin, 4755 mandrake (fivestar) 1.4a12-4mdk /usr/sbin, 4755 redhat (9.0) 1.4a12-9 /usr/sbin, 4755 fedora core (0.94) 1.4a12-20.1 /usr/bin, 4755 Only exception is SuSE who also have switched to a different traceroute in 9.0 that is said to run non suid root. suse (8.0) 1.4a12-156 /usr/sbin, 0755 suse (8.2) 1.4a12-208 /usr/sbin, 0755
Comment 12 SpanKY 2004-02-17 10:51:34 UTC
we didnt say this version was full of holes, we said it has a history of not having the cleanest code
Comment 13 Toni DiBoulda 2004-02-17 20:16:15 UTC
Yeah you did. Comment #2 says "two exploits for traceroute" and seems to base decision upon it. Debian has same version of traceroute in use since 1999 and all updates are marked "urgency=low", so I ask again, where is mysterious exploit? Are all my other machines in danger? This I don't get: I just found *exploitable* bug on gentoo software in bugzilla open for almost 1 year. In another bug someone from security team says security team does not have time and resources to send out GLSA for everything. In another report same person does not want to apply perfectly valid patch to serious symlink attack issue because nobody has "time or skills to audit patch". But you *do* have time and resources to cripple utility executable for all by (unwritten) standard (works on Solaris, IRIX, HP-UX too) I did not find single vulnerability for? Please enlighten me.
Comment 14 Brad Laue (RETIRED) 2004-02-19 00:28:58 UTC
We should find out what SuSE is doing and do that.
Comment 15 Stewart (RETIRED) 2004-02-19 00:39:42 UTC
You sound rather hostile. What was your developer e-mail address? A quick search of SecurityFocus did uncover a few security advisories for the various versions of traceroute. Gentoo isn't a distribution with vast corporate resources to address all the problems that are brought to BugZilla. If you, on the other hand, have spare time and resources I'm sure the security team would be glad to have you. Meanwhile, the traceroute 'fix' (not, I might add, written in stone) was a minor precaution taken to negate the possibility of an attack on this, and the many other setuid utilities in the tree.
Comment 16 Toni DiBoulda 2004-02-19 07:15:53 UTC
I don't know if this is the right place, but just to clear things up, English is not my first and second language, no hostility intended. Issues here are, first, change was not announced anywhere and breaks new installations but old ebuild has disappeared. Wheel group has too many privileges, sometimes write access to /usr/local, in many places. Second, why don't you just use version from RedHat or Fedora then? To say there are exploits without telling details just causes major panic in management. I'll be quiet now.
Comment 17 Philipp Kern 2004-04-08 06:05:10 UTC
This is inconsistent, really. traceroute is in /usr/sbin -- usable only for root. traceroute6 however is in /usr/bin - setuid root.
Comment 18 Kurt Lieber (RETIRED) 2004-04-08 06:17:22 UTC
great -- so file a bug that traceroute6 should be moved to /usr/sbin and installed without the SUID bit set.
Comment 19 Pekka Paalanen 2004-07-18 12:20:20 UTC
What do you mean "FIXED"? I just remerged iputils-021109-r3 after emerge sync and /usr/bin/tracepath and /usr/bin/tracepath6 are still suid root. As is /usr/bin/traceroute6 also.