From owner-freebsd-security@FreeBSD.ORG Mon Aug 30 02:25:13 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB33410656AB for ; Mon, 30 Aug 2010 02:25:13 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6EF8E8FC16 for ; Mon, 30 Aug 2010 02:25:13 +0000 (UTC) Received: by ywt2 with SMTP id 2so2151391ywt.13 for ; Sun, 29 Aug 2010 19:25:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=pvyW2w9KQg8gKeZwi5dn9LRFaT/z4b/n1dw2yKWfD/g=; b=o2MguB4b/DEMNDfvxhQgqMbARlPXG8s3lKX1mJJ6Gd+45hunUuE3HbqbVgop0Q1EUT p1IKF5KAMKJWfvF5ioVVN80O/D+b1bmCeT7TVc/8w6Q0nMUgIohLikmcenbMr2ePaZsJ KvLG3CUjrnPld7NNtyXigTzLirJilmGDIzeZY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Tx52JTBgnbBsGrN/8wf9sKJSJHXeFRVqwQ+HmwcdvhkExo5Gczag3uAAgCQPm+bY8D bzgK5nImOo0qJsZveGz2Vvxs4aTwmNMiIXtXdLznRyKm75k8h9t7OwxhQtLEYSAsmlAZ 8d4PbrfFBJjKibZybpxCPL6rVUiI8apiWzE7g= Received: by 10.100.167.2 with SMTP id p2mr3747509ane.148.1283135112562; Sun, 29 Aug 2010 19:25:12 -0700 (PDT) Received: from centel.dataix.local (adsl-99-181-137-20.dsl.klmzmi.sbcglobal.net [99.181.137.20]) by mx.google.com with ESMTPS id f22sm11705393anh.24.2010.08.29.19.25.10 (version=SSLv3 cipher=RC4-MD5); Sun, 29 Aug 2010 19:25:11 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4C7B1685.3010406@DataIX.net> Date: Sun, 29 Aug 2010 22:25:09 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.8) Gecko/20100806 Lightning/1.0b1 Thunderbird MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4C77A267.10102@thelostparadise.com> <20100827162556.GB14492@calvin.ustdmz.roe.ch> In-Reply-To: <20100827162556.GB14492@calvin.ustdmz.roe.ch> X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2010 02:25:13 -0000 On 08/27/2010 12:25, Daniel Roethlisberger wrote: > Pieter de Boer 2010-08-27: >> On 08/27/2010 10:32 AM, Vadim Goncharov wrote: >>> This is a froward message from tcpdump-workers mail list: >>> === 8< ================>8 === >>> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 >>> [sudo] password for user: >>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size >>> 65535 bytes >>> (generate some traffic on port 55555) >>> root@blaa ~/temp/tcpdump-4.1.1$ id >>> uid=0(root) gid=0(root) groups=0(root) >>> >>> Is this known and accepted? Could this option maybe be implemented >>> differently? >> >> In my opinion, if you allow people to run tools as root using sudo, >> you'd better make sure those tools don't allow attackers to easily gain >> root access. In the case of tcpdump, the '-w' flag most probably already >> allowed that, although '-z' is a bit more convenient to the attacker. >> >> As a solution, configure your sudo correctly, only allowing specific >> tcpdump command line options (or option sets) to be used. > > Or use NOEXEC on the tcpdump spec in your sudo configuration, see > sudoers(5) for details. > A correct approach if you really need unprivileged users to have access to tcpdump(1) with live network traffic is to provide tcpdump(1) with ``-Z nobody'' or $USER that is starting it with sudo(8) at all times. This does not do anything to the fact that your allowing any user on your network with that type of sudo access to collect password information or any other sensitive information flow on your network. The policy here sounds corrupt but please don't take offense to that as I am sure that you situation is probably viable in its own respectful way. Just beware! Regards, -- jhell,v