tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenBSD work on Tcpdump privilege separation

From: Hannes Gredler <hannes () juniper net>
Date: Mon, 23 Feb 2004 14:01:27 +0100
tx pekka - can sombeody pls test on the BSDs ? - /hannes

On Mon, Feb 23, 2004 at 09:43:05AM +0200, Pekka Savola wrote:
| On Sun, 22 Feb 2004, Pekka Savola wrote:
| > The current tcpdump just drops privileges before pretty much anything 
| > is done.  Now looking at the code, maybe the privilege separation 
| > could be done even slightly earlier in the "pcap_open_live" branch, 
| > e.g., after pcap_open_live, but I haven't tested this.  I guess it 
| > depends on whether pcap_set_datalink, pcap_snapshot (this one might 
| > be dangerous with root!) or pcap_lookupnet requires root privileges.
| > 
| > This might be worth experimenting with.
| 
| Ok, I've tested that this works at least with Linux.  The attached 
| patch moves dropping privileges a bit earlier.
| 
| -- 
| Pekka Savola                 "You each name yourselves king, yet the
| Netcore Oy                    kingdom bleeds."
| Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

| --- tcpdump-2004.02.22/tcpdump.c~     Mon Feb 23 09:39:39 2004
| +++ tcpdump-2004.02.22/tcpdump.c      Mon Feb 23 09:39:39 2004
| @@ -771,6 +771,18 @@
|                       error("%s", ebuf);
|               else if (*ebuf)
|                       warning("%s", ebuf);
| +             /*
| +              * Let user own process after socket has been opened.
| +              */
| +#ifndef WIN32
| +             if (username) {
| +                     droproot(username);
| +             }
| +             else {
| +                     if (setgid(getgid()) != 0 || setuid(getuid()) != 0)
| +                             fprintf(stderr, "Warning: setgid/setuid failed !\n");
| +             }
| +#endif /* WIN32 */
|  #ifdef WIN32
|               if(UserBufferSize != 1000000)
|                       if(pcap_setbuff(pd, UserBufferSize)==-1){
| @@ -808,18 +820,6 @@
|                       netmask = 0;
|                       warning("%s", ebuf);
|               }
| -             /*
| -              * Let user own process after socket has been opened.
| -              */
| -#ifndef WIN32
| -             if (username) {
| -                     droproot(username);
| -             }
| -             else {
| -                     if (setgid(getgid()) != 0 || setuid(getuid()) != 0)
| -                             fprintf(stderr, "Warning: setgid/setuid failed !\n");
| -             }
| -#endif /* WIN32 */
|       }
|       if (infile)
|               cmdbuf = read_infile(infile);

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: