tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation
From: Guy Harris <gharris () sonic net>
Date: Sun, 22 Feb 2004 22:56:35 -0800
On Sun, Feb 22, 2004 at 03:14:53PM -0800, Guy Harris wrote:
"pcap_set_datalink()" doesn't, at least on the BSDs, require root privileges; the ioctl either isn't present (in which case you can't set the data link type) or is unprivileged.
It can also, in current-CVS libpcap, be used to request that an Ethernet capture be given a link-layer type of DOCSIS, for use when capturing DOCSIS-forwarded-to-an-Ethernet from some Cisco cable modem equipment (they send DOCSIS frames inside low-level Ethernet framing). That requires no special privileges (the only difference it makes is that the link-layer type value in the pcap_t structure is changed). It's also supported for captures on Endace DAG cards when capturing on a serial link, to specify whether the packets should be assumed to have PPP or Cisco HDLC headers. That also just changes the link-layer type value in the pcap_t structure, and requires no special privileges. Currently, BSDs with the appropriate ioctls, and the Ethernet/DOCSIS stuff for all platforms and PPP/CHDLC stuff for DAG cards, are the only places where the link-layer type can be set. No other OS currently, as far as I know, directly supports a BSD-style "select the link-layer type" operation; I don't know whether any are planning on doing so. However, it's conceivable that, at some point, Linux *might* support forcing cooked-mode captures that way. Unfortunately, that requires closing the SOCK_RAW/PF_PACKET socket and opening a SOCK_DGRAM/PF_PACKET socket; that *would* require root privileges - but it would also run the risk that the new "socket()", etc. calls might fail, causing the call to fail in such a way that the "pcap_t" is no longer usable, rather than just failing in such a way that the link-layer type isn't changed. A scheme to allow a link-layer type to be chosen at open time (from a list of link-layer types presumably obtained through an earlier open, or perhaps from a future extended version of "pcap_findalldevs()") would fix those problems.
Given that "pcap_snapshot()" just returns "p->snapshot", which is set from the argument supplied to "pcap_open_live()" and from the capture file header by "pcap_open_offline()", I'm not sure why it'd be dangerous with root or why it'd require root privileges.
Actually, it's not necessarily the argument supplied to "pcap_open_live()", as if that was too small, libpcap might have increased it. It's still read-only, however. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- OpenBSD work on Tcpdump privilege separation Richard Bejtlich (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)