FS#15746 : [kismet] should be built "make suidinstall"

FS#15746 - [kismet] should be built "make suidinstall"

Attached to Project: Arch Linux
Opened by orbisvicis (orbisvicis) - Friday, 31 July 2009, 19:21 GMT
Last edited by Angel Velasquez (angvp) - Saturday, 14 May 2011, 07:08 GMT

Task Type	Feature Request
Category	Packages: Extra
Status	Closed
Assigned To	Angel Velasquez (angvp)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	7 Greg (dolby) (2011-04-11) Bogdan Szczurek (thebodzio) (2010-06-25) Daniel Micay (thestinger) (2010-04-29) Sean Streeter (anubis2591) (2010-04-22) Kristoffer (stoffix) (2010-04-21) orbisvicis (orbisvicis) (2010-04-03) Adam Easter (aeaster) (2009-08-06)
Private	No

Details

Description:

From http://www.kismetwireless.net/documentation.shtml#readme:

make suidinstall creates and extra binary, kismet_capture, which can only be run by members of the "kismet" group and is reposonsible for configuring the card. This significantly reduces attack vectors. "...Distributions are strongly encouraged to use this method..."

I think it would be a good idea to provide this build of kismet.

Additional info:
extra/kismet 2009_06_R1-1

This task depends upon

Closed by Angel Velasquez (angvp)
Saturday, 14 May 2011, 07:08 GMT
Reason for closing: Implemented

Comment by Olivier Médoc (oliv) - Tuesday, 08 September 2009, 08:05 GMT

I have the same request as I remember exploits that have been created in order to take control of a host were kismet was running. Running suidroot only a small subset of kismet is their counter measure against such attacks

Comment by orbisvicis (orbisvicis) - Saturday, 03 April 2010, 06:17 GMT

Also running suidroot leaves the logfiles under the ownership of the calling user.

suidinstall needs to change permissions of kismet_capture to the "kismet" group; to do this the "kismet" group must already be present and it is not possible to add a group in fakeroot. I can think of two workarounds. Similarly pacman clients can't install files owned by nonexistent users, though this can be worked around by the pre_install (or whatever) hook.

first:
A bootstrap package that create the kismet group: nothing more that a kismet-bootstrap.install and PKGBUILD.
The actual kismet package makedepends() and depends() on this kismet-bootstrap package

second:
kismet ./configure suidgroup="some-common-group". Afterwards, in post_install (or whatever) the ownership of the kismet_capture binary can be changed. I'm not sure if this will work, though: possibly the suidgroup configuration does more than set the ownership of one file.

third:
any other ideas?

Comment by orbisvicis (orbisvicis) - Saturday, 03 April 2010, 06:53 GMT

actual third:
Possibly because of the lookup in /etc/passwd involved, while chown will not accept nonexistent group/user names, it does accept nonexistent IDs.
So, reserve a numerical group id for kismet
then ./configure --with-suidgroup=reserved_id
and in post_install() groupadd kismet -g reserved_id
*This works but generates a groupadd error.

The only difference between "install" and "suidinstall" is the binsuidinstall dependency which does nothing but install one file, kismet_capture. I believe that is the only way that SUIDGROUP is used. This seems pretty simple:
./configure --with-suidgroup=root
post_install() groupadd kismet; chown /usr/bin/kismet_capture root:kismet

Comment by orbisvicis (orbisvicis) - Saturday, 03 April 2010, 16:28 GMT

It is probably a good idea to nonetheless decide on a system group ID for kismet, such that no other group may use that ID. Who decides this?

Comment by orbisvicis (orbisvicis) - Sunday, 04 April 2010, 21:32 GMT

I picked group number "315" since it was free on my system. If this conflicts with any other packages, just post a comment here..

The PKGBUILD has been *really* cleaned out. It will also install kismet suid as well as provide the default plugin set that kismet ships.

PKGBUILD (2.8 KiB)

kismet.install (1.1 KiB)

Comment by orbisvicis (orbisvicis) - Sunday, 04 April 2010, 22:31 GMT

Didn't realize chown clears the setuid bits.

kismet.install (1.2 KiB)

Comment by orbisvicis (orbisvicis) - Tuesday, 27 July 2010, 17:03 GMT

hmm now kismet-2010-07-R1 is current

Comment by Bogdan Szczurek (thebodzio) - Wednesday, 04 August 2010, 06:44 GMT

I've built kismet-2010-01-R1 with orbisvicis' PKGBUILD. It seems to build and work okee. One thing I'm not sure about is placing “mac80211 driver” in optdepends. It produces a warning from makepkg.

Anyway… I think that's the way to go for kismet package.

Comment by Bogdan Szczurek (thebodzio) - Wednesday, 04 August 2010, 21:25 GMT

I've updated PKGBUILD for 2010-07-R1 version. Maybe it would be good to place version number in "_realver" and modify it for use in "pkgver", also to use "_realver" in source URL.

PKGBUILD (1.7 KiB)

Comment by orbisvicis (orbisvicis) - Thursday, 05 May 2011, 07:33 GMT

Updated to 2011-03-R2. At this rate it should become an official AUR package, "kismet-better", hehe.

kismet-2011_03_R2-2.src.tar.gz (2.1 KiB)

Comment by Angel Velasquez (angvp) - Friday, 06 May 2011, 20:27 GMT

I think orbisvis solution is properly and I will apply it tonight ..

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#15746 - [kismet] should be built "make suidinstall"

Details

Loading...