From owner-freebsd-security Wed Dec 11 16:02:36 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id QAA21048 for security-outgoing; Wed, 11 Dec 1996 16:02:36 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id QAA21030 for ; Wed, 11 Dec 1996 16:02:29 -0800 (PST) Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id KAA29724; Thu, 12 Dec 1996 10:31:47 +1030 (CST) From: Michael Smith Message-Id: <199612120001.KAA29724@genesis.atrad.adelaide.edu.au> Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-Reply-To: <9612111329.AA16058@wavehh.hanse.de> from Martin Cracauer at "Dec 11, 96 02:29:42 pm" To: cracauer@wavehh.hanse.de Date: Thu, 12 Dec 1996 10:31:46 +1030 (CST) Cc: freebsd-security@freeBSD.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freeBSD.org X-Loop: FreeBSD.org Precedence: bulk Martin Cracauer stands accused of saying: > >> > >>Evil evil evil. Definitely never on a public server; bpf lets you do > >>lots more than just snoop, it makes it possible (easier) to spoof as > >>well. > > As far as I understand, BPF in the kernel is only a risk when someone > gets root rights, not? In that case, if you don't have BPF in the > kernel the person in question could also ftp a new kernel and wait for > the next reboot. Sure; providing they're in a position to do that. A suitably paranoid installation will have measures in place that make it harder (not impossible, obviously) to replace the kernel on a public system. (Think network boot from an inaccessible server, for example.) > What am I overlooking? What makes BPF dangerous as long as noone has > root access to the machine? Point. I think we have to accept that root access will always be available, and look at steps to reduce the damage that can be caused thereby. > And in what way can BPF make spoofing easier? The ability to emit arbitrary network data, subject only to the framing imposed by the transport hardware. > Martin -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[