Re: OpenBSD work on Tcpdump privilege separation

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Andrew Pimlott wrote:
> On Tue, Feb 24, 2004 at 10:40:39PM +0200, Pekka Savola wrote:
> > My threat analysis is that dropping root and chrooting when tcpdump is 
> > run as setuid is not worth the trouble.  Switching to the getuid() is 
> > sufficient: you'll just hose the account you run tcpdump as, not root.
>
> I'm fine with that.  I think all we need to do is make sure we only try
> droproot() when euid is still 0.

While I agree that the setuid installation of tcpdump should be frowned upon, 
there's no reason not to do whatever we can to protect the user against 
compromise via a buggy protocol dissector. If you can chroot, do so. The 
threat of running tcpdump setuid should be that a non-root user can intercept 
sensitive network traffic, /not/ that any dumb user on your box can end up 
getting buffer overflowed into giving 3l33t-boy a shell without your knowledge.

> > > +       if (rmdir(chrootdir) != 0)
> > > +               error("couldn't remove %s", chrootdir);
> > > +       if (chroot(".") != 0)
> > > +               error("couldn't chroot");
> >
> > you're rmdir'ing before chroot'ing ?
>
> It works on my Linux system and prevents the directory from being left
> behind as garbage.  I bet it works on most unix-like systems, but I
> would be interested to see counter-examples.  :-)

It should work fine in general. And not only does it prevent the directory 
from being left behind, but then even if someone manages to drop files in the 
jail, they won't be lying around for use by a later attack over a different 
vector. In addition, I believe that, on Linux at least, you can't create files 
in an unlinked directory.

Andrew, I know I suggested that you do the tmpdir thing when we started all 
this, but in retrospect I'd be as happy with just using a fixed directory, 
perhaps /var/empty by default, but configurable at compile time. I wouldn't 
lose the tmpdir code, just make it configurable whether to use a tmpdir or a 
fixed directory.

The reason, as previously mentioned, is that the directory can then reside on 
a read-only filesystem, which adds another layer of protection.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe