tcpdump mailing list archives

Re: OpenBSD work on Tcpdump privilege separation

From: Pekka Savola <pekkas () netcore fi>
Date: Tue, 24 Feb 2004 09:03:56 +0200 (EET)

On Mon, 23 Feb 2004, Andrew Pimlott wrote:

- If tcpdump is setuid root, "tcpdump -Z root" enables anyone to read
  and write root's files, as well as get root from any exploit.


Fixed in the latest proposed patch, if adopted.

- If root uses "tcpdump -Z nobody", he will not be able to read his own
  files with "-r" (my first patch had the same issue).  I don't think
  this is desirable.


Root will always be able to read files written by nobody, right? :)

He will also not be able to write his own files
  with "-w", and this problem existed in my patch as well.  The simplest
  solution would seem to be doing the "-w" earlier, but I'm not sure.
  (This seems also to apply to -F, and perhaps something else I've
  missed in a quick scan of what happens after -Z is handled.)


Yep, this is a problem.  Quickest fix is delaying dropping the 
privileges, as done in the patch I posted yesterday.

- It doesn't make sense for WITH_USER to be handled so much later than
  -Z.  Perhaps the author noticed the above problems and decided to drop
  privileges later.  Ok, but then -Z should be done later too.


The distinction was made because some vendors drop the privileges by 
default, and don't expect to see warnings about write files failing.  
On the other hand, if the user uses -Z himself, he can expect some 
trouble.  But I agree that this is surprising, and should be changed, 
as done in the latest patch.

- initgroups(pw->pw_name, 0) causes gid 0 to be left in the supplemental
  group list.  It should be initgroups(pw->pw_name, pw->pw_gid).


Hmm; this seems to be the case.  I vaguely recall that there would be 
some reason why this would not be needed.  But it seems this is needed 
after all.. attached fixes this, naturally..

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Attachment: tcpdump-current-initgroups.patch
Description:

Current thread:

SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode, (continued)
- - - SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
    - Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
    - Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
  - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 22)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Michael Richardson (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
    - privileges and 'C' -flag [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
    - Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
    - Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)

(Thread continues...)