Re: OpenBSD work on Tcpdump privilege separation

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

Michael Richardson wrote:
> In sandelman.project.tcpdump.workers, you wrote:
> > > - If root uses "tcpdump -Z nobody", he will not be able to read his own
> > >  files with "-r" (my first patch had the same issue).  I don't think
> > >  this is desirable.  He will also not be able to write his own files
> > >  with "-w", and this problem existed in my patch as well.  The simplest
> > >  solution would seem to be doing the "-w" earlier, but I'm not sure.
> > >  (This seems also to apply to -F, and perhaps something else I've
> > >  missed in a quick scan of what happens after -Z is handled.)
>
>   And don't forget that -C permits rolling files, so one might have to
> *recover* from chroot() to do that, and then become root again,
> etc. Think about this for a moment. 

Not an issue. You don't /need/ to chroot, or even drop uid, if you're just 
writing a pcap file. It's the protocol dissectors that compromise you. Think 
about this for a moment. ;^)

You only need to chroot after you've opened a live device or a pcap file for 
reading and are doing actual protocol dissection. In that case, you won't be 
rolling over with -C so it doesn't matter that you can't get out of your root 
or recover uid 0.

>   It might be SIMPLER on many systems to just chown /dev/bpf* to the
> right userid and run tcpdump, unpriveledged as that userid. I know not
> every system can do that.

It's simpler, and also practically useless. If you don't want to get 
compromised, you either have to make sure all the protocol dissectors are 
clean, or else do what openssh does and accept that there are risks in the 
code. The mitigation then is to /chroot/ and /setuid/ -- not just one or the 
other.

>   The right answer is that tcpdump needs to fork, drop priveledges in
> the child, do all of the network I/O and printing there, and pipe
> everything back to the parent for disk I/O.

The only disk I/O that happens when you're doing protocol dissection is 
reading the pcap file, other than what an attacker causes you to do unawares. 
Thus the right answer is that whenever you are doing protocol dissection, you 
/chroot/ and drop uid 0.

>   That's a bigger project - making all the printing stuff into a library
> is, in my opinion, the first step.

The first step, as I've described a couple of times over the last few years, 
is to abstract protocol dissection into a virtual machine, preferably BPF.

--
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe