From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 13:30:36 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC4F710656AA for ; Fri, 27 Aug 2010 13:30:36 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6AD048FC0A for ; Fri, 27 Aug 2010 13:30:36 +0000 (UTC) Received: by vws7 with SMTP id 7so3266873vws.13 for ; Fri, 27 Aug 2010 06:30:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=DRhyvt4HM8I1yYKdQmmkxJQSJEcWgqJO9d8WKUk1MNk=; b=jjR3hB4btD/4sW3Z/3ZdURHm1M9pmlgFkishQfpE7GhWR5kKKzSmI78s+0af4kSm41 MFX1bLJBS08E/+7pDup9NDQx1cjlfqAdYxpcBXcbwQS98fYgDSjCHAxVF/b2xQ3nFq5Z 0iSY6sD8VSuNHydCqjcbq96/8DP2zjWMz1/zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=uGV698PK3Wws1RO8CCpmktwm6qHpckNQfnWVPducWbpbv43sGSKRIQ+KjDTNIe/1Ca 7+nc0agxZJqNpAa8AZIfGAEmLc9OPJ+X7K6AiaLuyjKys6xr1JRW+tPYjGCPmbKy5gtc V1QQKCszGNFTflCabk8yeUtNkJkcT+6u+M3gw= MIME-Version: 1.0 Received: by 10.220.61.199 with SMTP id u7mr545019vch.0.1282914163766; Fri, 27 Aug 2010 06:02:43 -0700 (PDT) Sender: andy.kosela@gmail.com Received: by 10.220.86.205 with HTTP; Fri, 27 Aug 2010 06:02:43 -0700 (PDT) In-Reply-To: <4C77A267.10102@thelostparadise.com> References: <4C77A267.10102@thelostparadise.com> Date: Fri, 27 Aug 2010 15:02:43 +0200 X-Google-Sender-Auth: q3WPmvYctYfR0BBZDr_KcMt6HAI Message-ID: From: Andy Kosela To: Pieter de Boer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 13:30:36 -0000 On Fri, Aug 27, 2010 at 1:32 PM, Pieter de Boer wrote: > On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > >> This is a froward message from tcpdump-workers mail list: >> =3D=3D=3D 8< =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>8 =3D= =3D=3D >> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 >> [sudo] password for user: >> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture >> size >> 65535 bytes >> (generate some traffic on port 55555) >> root@blaa ~/temp/tcpdump-4.1.1$ id >> uid=3D0(root) gid=3D0(root) groups=3D0(root) >> >> Is this known and accepted? Could this option maybe be implemented >> differently? > > In my opinion, if you allow people to run tools as root using sudo, you'd > better make sure those tools don't allow attackers to easily gain root > access. In the case of tcpdump, the '-w' flag most probably already allow= ed > that, although '-z' is a bit more convenient to the attacker. > > As a solution, configure your sudo correctly, only allowing specific tcpd= ump > command line options (or option sets) to be used. > If you care about security I would definetly dump sudo(8) in the first plac= e... Andy