net-analyzer/arpwatch: new revision to fix privilege escalation.

In previous revisions, the init script for arpwatch called "chown" as
root on a location under /var/lib/arpwatch -- a path that is controlled
by the "arpwatch" user per its ebuild. That could be exploited by the
"arpwatch" user to take control of root-owned files.

This new revision comes with a new init script and conf.d file that
completely rework the way instances are created and run. The
"arpwatch" user is hard-coded, because as was mentioned, the ebuild
sets some important permissions for that user. Since it is not
possible to change that user, the need for "chown" is eliminated.

Separate instances are now created by symlinking the init script (like
our network interface scripts), rather than by enumerating them in a
single arpwatch init script. Upgraders will want to review their
configurations.

Bug: https://bugs.gentoo.org/602552
Package-Manager: Portage-2.3.8, Repoman-2.3.3

1 files changed, 27 insertions, 0 deletions

diff --git a/net-analyzer/arpwatch/files/arpwatch.initd-r1 b/net-analyzer/arpwatch/files/arpwatch.initd-r1
new file mode 100644
index 000000000000..ffe165205c6a
--- /dev/null
+++ b/net-analyzer/arpwatch/files/arpwatch.initd-r1
@@ -0,0 +1,27 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Default to "lo" for the interface, so that the init script will work
+# out-of-the-box.
+: ${ARPWATCH_IFACE:=lo}
+
+ARPWATCH_DATAFILE="/var/lib/arpwatch/${RC_SVCNAME}.dat"
+
+command="/usr/sbin/arpwatch"
+pidfile="/run/${RC_SVCNAME}.pid"
+command_args="-i ${ARPWATCH_IFACE}
+              -u arpwatch
+              -f ${ARPWATCH_DATAFILE}
+              -P ${pidfile}
+              ${ARPWATCH_OPTS}"
+
+depend() {
+    need "net.${ARPWATCH_IFACE}"
+}
+
+start_pre() {
+    # The "arpwatch" user must be a member of the "arpwatch" group for
+    # this to work.
+    checkpath --file --owner root:arpwatch --mode 0660 "${ARPWATCH_DATAFILE}"
+}