Re: OpenBSD work on Tcpdump privilege separation

[Guy Harris <gharris () sonic net>]

On Sun, Feb 22, 2004 at 09:36:33AM +0200, Pekka Savola wrote:
> The current tcpdump just drops privileges before pretty much anything 
> is done.  Now looking at the code, maybe the privilege separation 
> could be done even slightly earlier in the "pcap_open_live" branch, 
> e.g., after pcap_open_live, but I haven't tested this.  I guess it 
> depends on whether pcap_set_datalink, pcap_snapshot (this one might 
> be dangerous with root!) for or pcap_lookupnet requires root privileges.

"pcap_set_datalink()" doesn't, at least on the BSDs, require root
privileges; the ioctl either isn't present (in which case you can't set
the data link type) or is unprivileged.

Given that "pcap_snapshot()" just returns "p->snapshot", which is set
from the argument supplied to "pcap_open_live()" and from the capture
file header by "pcap_open_offline()", I'm not sure why it'd be dangerous
with root or why it'd require root privileges.

"pcap_lookupnet()", however, might well require extended privileges on
some OSes, in order to fetch the netmask for a given adapter.

However, on BSDs, even "pcap_open_live()" doesn't necessarily require
root privileges!  It doesn't require them on my machines:

        % ls -l /dev/bpf*
        crw-------  1 guy  wheel   23,   0 Jun  9  2002 /dev/bpf0
        crw-------  1 guy  wheel   23,   1 Jun  9  2002 /dev/bpf1

which means that I just run tcpdump - and Ethereal - as myself, and they
don't have any privileges to drop.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe