tcpdump mailing list archives
Re: why doesn't tcpdump drop privileges?
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Wed, 21 Jan 2004 22:45:31 -0500
Andrew Pimlott wrote:
On Tue, Jan 20, 2004 at 11:57:42PM -0500, Jefferson Ogata wrote: But the unix security model is based upon userids, so if you think access to an unprivileged userid is "almost" the same as root, it seems tantamount to calling unix security "useless".
Not useless, just runs a distant second to keeping the bozo off your system in the first place.
Anyway, can we at least agree that giving the attacker nobody is a little better than giving him root? :-)
Sure. That's perhaps a nicer way of saying what I said before: almost as bad. Half-empty/half-full, etc.
I agree that a dedicated user is better. However, I still think that defaulting to nobody will protect people (to some degree) on most systems, and I think the risk of nobody being a bad choice is low (certainly it can't be worse than remaining root). If nobody doesn't exist, oh well.
You could also just pick an arbitrary numeric uid if nobody fails. So maybe try getpwnam("pcap") first, then getpwnam("nobody"), then find a uid > 1024 that is unused for your last-ditch default.
There's a big problem domain you're not fully treating, which is what happens when one process captures and writes to a pcap file, and someone else comes along and runs a protocol dissector on the saved file later. First, your patch is dropping privileges before opening the pcap file, which looks out of order to me.This is important so that a setuid tcpdump (I can't imagine why anyone would do that, but it seems to be supported in the code) can't open root trace files, as mentioned in the existing comments. I didn't change this from the old behavior.
But then how can root read his own trace file when it's mode 0600? I think if ruid == euid you want to open the trace file before dropping privileges.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 23)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Ryan Mooney (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Pekka Savola (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 21)
- Re: why doesn't tcpdump drop privileges? Pekka Savola (Jan 21)
- Re: why doesn't tcpdump drop privileges? Hannes Gredler (Jan 24)