From owner-freebsd-security Wed Dec 11 11:50:15 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA03740 for security-outgoing; Wed, 11 Dec 1996 11:50:15 -0800 (PST) Received: from ki1.chemie.fu-berlin.de (ki1.Chemie.FU-Berlin.DE [160.45.24.21]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id LAA03682 for ; Wed, 11 Dec 1996 11:49:35 -0800 (PST) Received: by ki1.chemie.fu-berlin.de (Smail3.1.28.1) from mail.hanse.de (193.174.9.9) with smtp id ; Wed, 11 Dec 96 18:10 MET Received: from wavehh.UUCP by mail.hanse.de with UUCP for freebsd-security@freebsd.org id ; Wed, 11 Dec 96 18:10 MET Received: by wavehh.hanse.de (4.1/SMI-4.1) id AA16058; Wed, 11 Dec 96 14:29:42 +0100 Date: Wed, 11 Dec 96 14:29:42 +0100 From: cracauer@wavehh.hanse.de (Martin Cracauer) Message-Id: <9612111329.AA16058@wavehh.hanse.de> To: freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) References: <199612110353.OAA21602@genesis.atrad.adelaide.edu.au> <199612110432.UAA10905@root.com> Reply-To: cracauer@wavehh.hanse.de Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>> What are people's feelings on enabling devices like bpf or snp >>> in the kernel on a public server? Obviously, had I not compiled bpf >>> into the shell and Web server kernels, this particular incident would >>> never have happened. However, I like to have access to tcpdump to >>> check for things like ping floods, and trafshow to see where bytes are >>> being sent. >> >>Evil evil evil. Definitely never on a public server; bpf lets you do >>lots more than just snoop, it makes it possible (easier) to spoof as >>well. As far as I understand, BPF in the kernel is only a risk when someone gets root rights, not? In that case, if you don't have BPF in the kernel the person in question could also ftp a new kernel and wait for the next reboot. What am I overlooking? What makes BPF dangerous as long as noone has root access to the machine? And in what way can BPF make spoofing easier? Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin_Cracauer@wavehh.hanse.de http://cracauer.cons.org Fax.: +4940 5228536 "As far as I'm concerned, if something is so complicated that you can't ex- plain it in 10 seconds, then it's probably not worth knowing anyway"- Calvin