Re: why doesn't tcpdump drop privileges?

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Ryan Mooney wrote:
> Not really comments on the specific patch, or its applicability to the issue 
> at hand.  
>
> I'm a strong believer in defense in depth.

So then I assume you did "chmod -x /usr/bin/tcpdump"? :^)

> Does a trench outside the wall 
> stop all the attackers?  No, but it does slow them down, and gives you a 
> chance to regroup.  

The problem with your metaphor is that there is no wall. Also, the trench is 
only 8 centimeters deep.

Anyway, if you're truly a believer in defense-in-depth, like me, you're not 
running protocol dissectors as root anyway, are you?

I've already agreed that dropping uid 0 helps. It just doesn't help very much, 
and I'm not sure it's worth the trouble if it's not done correctly. In our 
last episode we saw that the patch has yet to drop groups. On Red Hat, root's 
native groups include, for example, write access (as group disk) to all disk 
devices. Andrew said he's working to make it better, so, great.

I also advocated combining the uid drop with a chroot to an empty, unwritable 
directory. This would actually make a difference in that it would become 
significantly harder for an intruder to modify the system.

> Dropping privileges from root stops a wide range of script kiddy type 
> attacks from causing much much more damage than they would otherwise.  If 
> you really don't believe in this, tell us where you run your web server 
> and justify why its running it as root :)  I agree that this does not stop 
> a determined and resourceful hacker, it will however slow them down and 
> possibly encourage them to seak a softer target.  The primary source of most 
> attacks I've seen lately are script kiddies, and if tcpdump was running as 
> an unprivileged user it would limit the spread of damage on many systems 
> (they would at least have to try a little).

The typical intrusion scenario these days has the intruder start by running 
"id". If this runs, the intruder will get a shell, and then try to get root 
with a local privilege escalation exploit. If this doesn't work, the intruder 
goes about his business as the regular user and waits for an opportunity to 
arise. So how much better off are you? How long is this guy going to run 
around on your system before you even know about it?

One more thing: the script kiddies won't typically target this vulnerability, 
since it only exists when someone is running tcpdump with a vulnerable 
protocol dissector. Script kiddies are much more interested in always-on 
vulnerabilities such as last year's apache chunked encoding vulnerability... 
and let's talk about that for a minute: how many thousands or tens of 
thousands of apache servers got nailed on that one? How about mod_ssl? This 
was a lot of damage, and the script kiddies weren't in the least disinclined 
to attack by the fact that apache wasn't running as root.

You want defense in depth? Start digging into the protocol dissectors and fix 
the buffer overflows. Now *that's* digging trenches.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe