From owner-freebsd-questions  Fri Feb  5 12:54:23 1999
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA29606
          for freebsd-questions-outgoing; Fri, 5 Feb 1999 12:54:23 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA29580
          for <freebsd-questions@FreeBSD.ORG>; Fri, 5 Feb 1999 12:54:16 -0800 (PST)
          (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id NAA22327;
	Fri, 5 Feb 1999 13:42:23 -0500 (EST)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199902051842.NAA22327@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: /dev/bpf0
In-Reply-To: <Pine.BSF.4.01.9902051127420.9417-100000@triton.press.southern.edu> from Charlie ROOT at "Feb 5, 99 11:30:46 am"
To: root@triton.press.southern.edu (Charlie ROOT)
Date: Fri, 5 Feb 1999 13:42:23 -0500 (EST)
Cc: freebsd-questions@FreeBSD.ORG
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Charlie ROOT wrote,
> I was wanting to run tcpdump, but I really didn't want to expose my
> system to the vulnerability of having /dev/bpf0 configured.  I was
> wondering if anyone has succeeded in implementing the Berekely Packet
> Filter as a loadable kernel module.  If so I would love to see the source.
> Thanks.

Oy, I guess you are not a party to the lengthy discussion on
freebsd-security on BPF. A few questions:

1) Why is having /dev/bpf0 configured a security vulnerability? Only
root can use the device, and if root is comprimised, it seems
/dev/bpf0 is the least of your worries. The intruder can rebuild the
kernel with BPF enabled and use it anyway, only plus is you might
notice the restart (hopefully if you are concerned with security,
you'd notice root being broken before then).

2) If /dev/bpf0 is a loadable module, only root can load it... but
what is the security advantage there? Only root could use the device
before, now root just needs to load the module before it uses it. I
don't get it.

You might want to take this to freebsd-security... if you have some
flame-retardant underoos.
-- 
Crist J. Clark                           cjclark@home.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message