tcpdump mailing list archives
Re: [PATCH] Drop unneeded capabilities
From: Pekka Savola <pekkas () netcore fi>
Date: Thu, 24 Jun 2004 09:14:13 +0300 (EEST)
On Wed, 23 Jun 2004, Matt Beaumont wrote:
I've written a little patch to drop all but the CAP_NET_ADMIN and CAP_NET_RAW capabilities immediately if tcpdump is running with root privileges. The idea is to limit the damage done by an exploit against tcpdump. Some of the inspiration for this patch came from here: <http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/minimize-privileges.html> This is the first patch I've ever submitted, so I'd love to hear some feedback :)
Hi, Have you checked the code in the CVS? It already includes a "droproot" option. Yours is slightly different, though, as it uses (Linux-specific?) capabilities. I'm not sure if it's necessary when we already drop the root privileges. Please have a look. Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- [PATCH] Drop unneeded capabilities Matt Beaumont (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Michael Richardson (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Jefferson Ogata (Jun 24)
- Re: [PATCH] Drop unneeded capabilities Pekka Savola (Jun 23)