From owner-freebsd-questions@FreeBSD.ORG Fri Oct 7 15:58:50 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C70ED16A41F for ; Fri, 7 Oct 2005 15:58:50 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D81B43D46 for ; Fri, 7 Oct 2005 15:58:49 +0000 (GMT) (envelope-from dpkirchner@gmail.com) Received: by xproxy.gmail.com with SMTP id t5so478371wxc for ; Fri, 07 Oct 2005 08:58:49 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ayEnznh9J0F5vFoip0K7xnLFHy4L8uWwCq5fdDEbPt0x0yNnySql+Y+czFenKyeegfHuZwj1AzchJtAcyrIczOtYmBKdynhP0m4duDzaOkfgiU4iq+1KA0B5MGZgQdmk54SacsoydUxvSmhHJIiOMb5F/PUWtBnc/DBMbk86baQ= Received: by 10.70.100.9 with SMTP id x9mr2360756wxb; Fri, 07 Oct 2005 08:58:49 -0700 (PDT) Received: by 10.70.104.20 with HTTP; Fri, 7 Oct 2005 08:58:49 -0700 (PDT) Message-ID: <35c231bf0510070858l32d5aefft4bb9e8508b6b80f@mail.gmail.com> Date: Fri, 7 Oct 2005 08:58:49 -0700 From: David Kirchner Sender: dpkirchner@gmail.com To: Chuck Swiger In-Reply-To: <43467C12.1060001@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20051007084807.13455.qmail@rahul.net> <43467C12.1060001@mac.com> Cc: freebsd-questions@freebsd.org, John Conover Subject: Re: Security risk associated with a NIC's promiscuous mode? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: David Kirchner List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 15:58:50 -0000 On 10/7/05, Chuck Swiger wrote: > A mild one. For example, I believe there was recently a security bug in > tcpdump's string handling which could be exploited by tcpdump seeing a > maliciously-crafted packet. Running the NIC in promisc mode means that p= acket > just has to go by, rather than being sent specificly to the machine runni= ng the > sniffer... > > In other words, it's not a great idea to run a sniffer on your most impor= tant > fileserver or whatever, rather than an isolated laptop or other test syst= em. You can also change the ownership of the bpf0 entry in /dev to something other than root, and run tcpdump as that user. Obviously you would want to secure that account so it can only be accessed by you, and you may even want to change ownership to that user only when you want to sniff, changing it back to root when done. In any case, this would mitigate the risk in case a tcpdump/libpcap vulnerability is discovered. I wouldn't do this if it was for a daemon or a cron, though, since they would perform dumps at specific (IE predictable) times of day.