tcpdump mailing list archives
Re: why doesn't tcpdump drop privileges?
From: Andrew Pimlott <andrew () pimlott net>
Date: Tue, 20 Jan 2004 21:42:28 -0500
On Tue, Jan 20, 2004 at 06:31:08PM -0600, Earl Hood wrote:
I think so. I just a posted a patch for dropping priviledges in a similiar style that the RedHat port of tcpdump does.
This must be the RedHat that never sends their patches back upstream. :-/ (I didn't see your patch because I just subscribed.)
By default, it fallsback to the pcap userid, but you can also explicitly specify which user via a command-line option.
I don't know what the pcap user is for on RedHat, but I don't see why you would change to pcap instead of nobody. nobody is essentially by definition the least empowered user on the system, so isn't that the natural choice?
The default user to fallback on should probably be a configure setting, but I did not mess with the autoconf stuff.
Me neither. ;-) But the advantage of defaulting to nobody is that it will "just work" on most systems, and thus make more people safe than any scheme that requires explicit activation by a user or administrator. I don't mind a configure setting or command-line option to override the default, of course. I also agree (as I said in my other message) with supporting security mechanisms other than unix userid on systems that have them. Changing userid is just an easy first step. Andrew - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 23)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Ryan Mooney (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Pekka Savola (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 21)
- Re: why doesn't tcpdump drop privileges? Pekka Savola (Jan 21)
- Re: why doesn't tcpdump drop privileges? Hannes Gredler (Jan 24)