tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 24 Feb 2004 03:49:33 -0500
Warning: I'm getting pretty fed up with the stubborn cluelessness of thinking that dropping uid 0 is such an effective security measure when you're still giving bozos free rein over your system as a regular user. So, sorry if I sound a little nasty here, but apparently someone needs to get in your face about this.
Pekka Savola wrote:
Current tcpdump already implements everything except chroot AFAIK.
Yeah, everything except the one thing that might actually help.
Chroot would probably be a bit more difficult, because it might be difficult to agree to a directory to chroot to; there would have to be a command-line/compile-time toggle -- and when reading/writing capture files, you'd have to do some file descriptor passing tricks etc. I'm not personally sure whether it's worth it.
First of all, it's not "a bit more difficult". Andrew already wrote the damned code. Why don't you take a look? IIRC, his code actually creates a temp dir and rmdirs it afterward for good measure, though using a fixed directory has the benefit that the target filesystem can be read-only.
Second, what's not "worth it" is just dropping uid 0. For Christ's sake, as long as you've got uid 0 to start with, /chroot/. There's no excuse not to. Dropping uid 0 without chrooting first is like locking yourself in the bathroom and letting the intruder have the rest of the house -- IOW just plain stupid.
Take a look at what openssh means when it talks about "privilege separation": the unprivileged process chroots to /var/empty, and then drops uid 0. While you're busy talking about OpenBSD "privilege separation", maybe it would help if you'd look at their most obvious example.
Or go back and read the thread we just had on this. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: OpenBSD work on Tcpdump privilege separation, (continued)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)