From owner-freebsd-hackers Mon Aug 2 14: 3:40 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id A875615230 for ; Mon, 2 Aug 1999 14:03:06 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40321>; Tue, 3 Aug 1999 06:43:11 +1000 Date: Tue, 3 Aug 1999 07:02:26 +1000 From: Peter Jeremy Subject: Re: So, back on the topic of enabling bpf in GENERIC... To: hackers@FreeBSD.ORG Message-Id: <99Aug3.064311est.40321@border.alcanet.com.au> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <37A3B701.851DF00B@softweyr.com> Wes Peters writes: >Do we have a list of all services that use bpf? In the base system, ipfilter et al (ie ipsend(1)), tcpdump, rbootd, rarpd and dhcp. Someone who's got a complete set of ports might like to comment on what ports need bpf. Of these, we need to leave rarpd, dhcp and maybe rbootd running, whilst inhibiting tcpdump and ipfilter (or at least stop them being used to sniff networks)[*]. As I've already mentioned elsewhere, a fairly easy option would be to create a `crippled' BPF - which included a hard-wired filter that only returned broadcast packets and disabled BIOCSETF and maybe BIOCPROMISC. The crippled BPF would be part of GENERIC, and anyone who wanted the full functionality could re-compile without the `CRIPPLED_BPF' flag. Another option would be to have the BPF crippling based on the secure-level (or driven via a specific `raise-only' sysctl). Apart from the hard-wired filters, the code to do this is trivial (though not as trivial as simply blocking bpf_open is securelevel > 1). [*] I personally don't believe that the mere presence of bpf is a security hole. By default you need root to activate it (and if someone undesirable has root access, you have other problems). It's also trivially easy to sniff a network from a Windoze PC. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message