Re: OpenBSD work on Tcpdump privilege separation

[Pekka Savola <pekkas () netcore fi>]

On Mon, 23 Feb 2004, Hannes Gredler wrote:
> tx pekka - can sombeody pls test on the BSDs ? - /hannes

Works on my FreeBSD at least.

However, I noticed a different problem with dropping the privileges.

The critical questions are:

1) does one have to be able to record files (with '-w') also to
directories you yourself (root) have write access to, but the user to 
which you drop the privileges does not?

2) is there any difference whether dropping the privileges was
implicit (with '--with-user') or explicit ('-Z')?

3) would we want to hack tcpdump a bit further, so that the write file 
would be opened as early as possible, to be able to drop the 
privileges earlier (if yes to 1)? [this might also help with 
chrooting, if we wanted to do it.]

I assume the answers are "yes", "no" and "no".  (Currently this this
is "yes; if the username was implicit, and then root privs are dropped
later".  Thoughts?

Note that with setuid tcpdump, this has never been possible (due to
valid reasons, of course :).  But root-dropping tcpdump, especially if
done automatically, might be a bit special.

I've attached a patch this results in the assumed intended behaviour:  
the privileges are dropped only later, the behaviour is identical with
or without --with-user=xxx, and more detailed hackery of write files
is omitted.  I've moved up the setuid-part though.

Please discuss what you feel would be the best approach!  I might
personally be tempted to move up the opening of write files part..

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Attachment: tcpdump-droppriv.patch
Description: