tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation
From: Andrew Pimlott <andrew () pimlott net>
Date: Mon, 23 Feb 2004 14:30:27 -0500
On Mon, Feb 23, 2004 at 04:42:26AM -0500, Jefferson Ogata wrote:
You know after all that discussion on this topic last month, Andrew Pimlott came up with a patch to do a chroot/setuid that no one has commented on, AFAIK. Maybe it's worth looking at...?
I haven't touched the code since then, so the last patch I posted is still what you should look at.[1] To be perfectly honest, I am happy enough with simple uid dropping that I stopped paying attention when I heard that a patch for this had gone in. That said, I just looked at (didn't try running) the current code[2] and there appear to be some problems. - If tcpdump is setuid root, "tcpdump -Z root" enables anyone to read and write root's files, as well as get root from any exploit. - If root uses "tcpdump -Z nobody", he will not be able to read his own files with "-r" (my first patch had the same issue). I don't think this is desirable. He will also not be able to write his own files with "-w", and this problem existed in my patch as well. The simplest solution would seem to be doing the "-w" earlier, but I'm not sure. (This seems also to apply to -F, and perhaps something else I've missed in a quick scan of what happens after -Z is handled.) - It doesn't make sense for WITH_USER to be handled so much later than -Z. Perhaps the author noticed the above problems and decided to drop privileges later. Ok, but then -Z should be done later too. - initgroups(pw->pw_name, 0) causes gid 0 to be left in the supplemental group list. It should be initgroups(pw->pw_name, pw->pw_gid). Andrew [1] http://www.tcpdump.org/lists/workers/2004/01/msg00064.html [2] The relevant changes are http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.225&r2=1.226 http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.226&r2=1.227 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: OpenBSD work on Tcpdump privilege separation, (continued)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)