tcpdump mailing list archives
Re: OpenBSD work on Tcpdump privilege separation
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 24 Feb 2004 18:08:36 -0500
Michael Richardson wrote:
In sandelman.project.tcpdump.workers, you wrote:- If root uses "tcpdump -Z nobody", he will not be able to read his own files with "-r" (my first patch had the same issue). I don't think this is desirable. He will also not be able to write his own files with "-w", and this problem existed in my patch as well. The simplest solution would seem to be doing the "-w" earlier, but I'm not sure. (This seems also to apply to -F, and perhaps something else I've missed in a quick scan of what happens after -Z is handled.)And don't forget that -C permits rolling files, so one might have to *recover* from chroot() to do that, and then become root again,etc. Think about this for a moment.
Not an issue. You don't /need/ to chroot, or even drop uid, if you're just writing a pcap file. It's the protocol dissectors that compromise you. Think about this for a moment. ;^)
You only need to chroot after you've opened a live device or a pcap file for reading and are doing actual protocol dissection. In that case, you won't be rolling over with -C so it doesn't matter that you can't get out of your root or recover uid 0.
It might be SIMPLER on many systems to just chown /dev/bpf* to the right userid and run tcpdump, unpriveledged as that userid. I know not every system can do that.
It's simpler, and also practically useless. If you don't want to get compromised, you either have to make sure all the protocol dissectors are clean, or else do what openssh does and accept that there are risks in the code. The mitigation then is to /chroot/ and /setuid/ -- not just one or the other.
The right answer is that tcpdump needs to fork, drop priveledges in the child, do all of the network I/O and printing there, and pipe everything back to the parent for disk I/O.
The only disk I/O that happens when you're doing protocol dissection is reading the pcap file, other than what an attacker causes you to do unawares. Thus the right answer is that whenever you are doing protocol dissection, you /chroot/ and drop uid 0.
That's a bigger project - making all the printing stuff into a library is, in my opinion, the first step.
The first step, as I've described a couple of times over the last few years, is to abstract protocol dissection into a virtual machine, preferably BPF.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode, (continued)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Shaun (Feb 22)
- Re: SIOCGIFCONF under Linux on Itanium in 32 bit compatibility mode Guy Harris (Feb 27)
- Re: OpenBSD work on Tcpdump privilege separation Guy Harris (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 22)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Michael Richardson (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
- privileges and 'C' -flag [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 23)
- Re: OpenBSD work on Tcpdump privilege separation Hannes Gredler (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Pekka Savola (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Andrew Pimlott (Feb 24)
- Re: OpenBSD work on Tcpdump privilege separation Jefferson Ogata (Feb 24)
- chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Pekka Savola (Feb 25)
- Re: chroot and setuid [Re: OpenBSD work on Tcpdump privilege separation] Jefferson Ogata (Feb 25)