From owner-freebsd-security Sun Jul 14 1:57:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7571537B400 for ; Sun, 14 Jul 2002 01:57:35 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9CAD43E6A for ; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020714085734.OZUJ24728.rwcrmhc51.attbi.com@blossom.cjclark.org> for ; Sun, 14 Jul 2002 08:57:34 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6E8vYJK084838 for ; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6E8vYAF084837 for freebsd-security@FreeBSD.ORG; Sun, 14 Jul 2002 01:57:34 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 14 Jul 2002 01:57:34 -0700 From: "Crist J. Clark" To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Message-ID: <20020714085734.GD56656@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207131731.g6DHVRs92032@lurza.secnetix.de> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > FreeBSD Security Advisories wrote: > > [...] > > IV. Workaround > > > > There is no workaround, other than not using tcpdump. > > Well, you can at least set up the system in a way so you > don't have to run tcpdump as root: Create a special group, > chgrp /dev/bpf* to that group and make them group-readable > (writable is not required). Then add all users to that > group which should be allowed to use tcpdump. tcpdump(8) can still be exploited to run abitrary code as that user. > An even better approach would be to create a pseudo user > (similar to the nobody user) which is a member of the > tcpdump group, and write a small wrapper script which > uses /usr/bin/su to call tcpdump as that pseudo-user. > > Of course, that's only a quick workaround, not a solution. It's not really a workaround, it just mitigates the potential for damage should the bug be exploited. > On a related matter: It would probably be a very good idea > for tcpdump to drop priviledges right after opening the BPF > device. tcpdump(8) never has elevated privileges. It just runs as whoever executes it. As you say, the way to run it at lower privileges is to give a less privileged user read access to the bpf(4) devices. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message