tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation
From: Pekka Savola <pekkas () netcore fi>
Date: Mon, 23 Feb 2004 09:43:05 +0200 (EET)
On Sun, 22 Feb 2004, Pekka Savola wrote:
The current tcpdump just drops privileges before pretty much anything is done. Now looking at the code, maybe the privilege separation could be done even slightly earlier in the "pcap_open_live" branch, e.g., after pcap_open_live, but I haven't tested this. I guess it depends on whether pcap_set_datalink, pcap_snapshot (this one might be dangerous with root!) or pcap_lookupnet requires root privileges. This might be worth experimenting with.
Ok, I've tested that this works at least with Linux. The attached patch moves dropping privileges a bit earlier. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Attachment:
tcpdump-droprootearlier.patch
Description:
Current thread:
- OpenBSD work on Tcpdump privilege separation Richard Bejtlich (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 21)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)