tcpdump mailing list archives

Re: OpenBSD work on Tcpdump privilege separation

From: Andrew Pimlott <andrew () pimlott net>
Date: Mon, 23 Feb 2004 14:30:27 -0500

On Mon, Feb 23, 2004 at 04:42:26AM -0500, Jefferson Ogata wrote:

You know after all that discussion on this topic last month, Andrew Pimlott 
came up with a patch to do a chroot/setuid that no one has commented on, 
AFAIK. Maybe it's worth looking at...?


I haven't touched the code since then, so the last patch I posted is
still what you should look at.[1]  To be perfectly honest, I am happy
enough with simple uid dropping that I stopped paying attention when I
heard that a patch for this had gone in.

That said, I just looked at (didn't try running) the current code[2] and
there appear to be some problems.

- If tcpdump is setuid root, "tcpdump -Z root" enables anyone to read
  and write root's files, as well as get root from any exploit.

- If root uses "tcpdump -Z nobody", he will not be able to read his own
  files with "-r" (my first patch had the same issue).  I don't think
  this is desirable.  He will also not be able to write his own files
  with "-w", and this problem existed in my patch as well.  The simplest
  solution would seem to be doing the "-w" earlier, but I'm not sure.
  (This seems also to apply to -F, and perhaps something else I've
  missed in a quick scan of what happens after -Z is handled.)

- It doesn't make sense for WITH_USER to be handled so much later than
  -Z.  Perhaps the author noticed the above problems and decided to drop
  privileges later.  Ok, but then -Z should be done later too.

- initgroups(pw->pw_name, 0) causes gid 0 to be left in the supplemental
  group list.  It should be initgroups(pw->pw_name, pw->pw_gid).

Andrew

[1] http://www.tcpdump.org/lists/workers/2004/01/msg00064.html
[2] The relevant changes are
    http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.225&r2=1.226
    http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/tcpdump.c?r1=1.226&r2=1.227
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

Re: OpenBSD work on Tcpdump privilege separation, (continued)
- - Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
    - SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
    - Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
  - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 22)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Michael Richardson (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
    - privileges and 'C' -flag [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)

(Thread continues...)