Date: Fri, 5 Feb 1999 13:42:23 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: root@triton.press.southern.edu (Charlie ROOT) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: /dev/bpf0 Message-ID: <199902051842.NAA22327@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <Pine.BSF.4.01.9902051127420.9417-100000@triton.press.southern.edu> from Charlie ROOT at "Feb 5, 99 11:30:46 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Charlie ROOT wrote, > I was wanting to run tcpdump, but I really didn't want to expose my > system to the vulnerability of having /dev/bpf0 configured. I was > wondering if anyone has succeeded in implementing the Berekely Packet > Filter as a loadable kernel module. If so I would love to see the source. > Thanks. Oy, I guess you are not a party to the lengthy discussion on freebsd-security on BPF. A few questions: 1) Why is having /dev/bpf0 configured a security vulnerability? Only root can use the device, and if root is comprimised, it seems /dev/bpf0 is the least of your worries. The intruder can rebuild the kernel with BPF enabled and use it anyway, only plus is you might notice the restart (hopefully if you are concerned with security, you'd notice root being broken before then). 2) If /dev/bpf0 is a loadable module, only root can load it... but what is the security advantage there? Only root could use the device before, now root just needs to load the module before it uses it. I don't get it. You might want to take this to freebsd-security... if you have some flame-retardant underoos. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902051842.NAA22327>