From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 11:33:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F3A510656C4 for ; Fri, 27 Aug 2010 11:33:25 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from mail.thelostparadise.com (router.thelostparadise.com [IPv6:2a02:898:0:30::30:1]) by mx1.freebsd.org (Postfix) with ESMTP id B9BB48FC0A for ; Fri, 27 Aug 2010 11:33:24 +0000 (UTC) Received: by mail.thelostparadise.com (Postfix, from userid 127) id 4F2CA73061; Fri, 27 Aug 2010 13:33:23 +0200 (CEST) Received: from localhost by mail.thelostparadise.com (Postfix) with ESMTP id 0378F73038; Fri, 27 Aug 2010 13:33:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=thelostparadise.com; s=thelostparadise; t=1282908790; bh=Dut+pgaP79G4VPWOP213RbHSwqg=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=mpnO6juRWJK1 ZJWdrAxFWOOCNP68cZhbl3QulEg5FodQGcHDag8UyACVeG23pW0l7SGapvpTYpabs8x +oieU6J2e/ly6d5a9q1phozS9UvxhGln50FsFJ9IIHOfpRgxH8X4PnZ49wmwuLmRhgM K8U4T0VZBzebLRPqmkFW8C03s= Message-ID: <4C77A267.10102@thelostparadise.com> Date: Fri, 27 Aug 2010 13:32:55 +0200 From: Pieter de Boer MIME-Version: 1.0 To: vadim_nuclight@mail.ru References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on aberdeen.thelostparadise.com X-Mailman-Approved-At: Fri, 27 Aug 2010 11:57:40 +0000 Cc: freebsd-security@freebsd.org Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 11:33:25 -0000 On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > This is a froward message from tcpdump-workers mail list: > === 8< ================>8 === > $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 > [sudo] password for user: > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size > 65535 bytes > (generate some traffic on port 55555) > root@blaa ~/temp/tcpdump-4.1.1$ id > uid=0(root) gid=0(root) groups=0(root) > > Is this known and accepted? Could this option maybe be implemented > differently? In my opinion, if you allow people to run tools as root using sudo, you'd better make sure those tools don't allow attackers to easily gain root access. In the case of tcpdump, the '-w' flag most probably already allowed that, although '-z' is a bit more convenient to the attacker. As a solution, configure your sudo correctly, only allowing specific tcpdump command line options (or option sets) to be used. -- Pieter