From owner-freebsd-security@FreeBSD.ORG  Fri Aug 27 16:25:57 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C9E101065694
	for <freebsd-security@freebsd.org>;
	Fri, 27 Aug 2010 16:25:57 +0000 (UTC) (envelope-from daniel@roe.ch)
Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch
	[IPv6:2001:1620:98f:face::26])
	by mx1.freebsd.org (Postfix) with ESMTP id 51AAC8FC20
	for <freebsd-security@freebsd.org>;
	Fri, 27 Aug 2010 16:25:57 +0000 (UTC)
Received: from roe (ssh-from [213.144.130.143])
	by calvin.ustdmz.roe.ch (envelope-from <daniel@roe.ch>)
	with LOCAL id 1Op1ka-0004mJ-2O
	for freebsd-security@freebsd.org; Fri, 27 Aug 2010 18:25:56 +0200
Date: Fri, 27 Aug 2010 18:25:56 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
To: freebsd-security@freebsd.org
Message-ID: <20100827162556.GB14492@calvin.ustdmz.roe.ch>
Mail-Followup-To: freebsd-security@freebsd.org
References: <slrni7eu1h.21lb.vadim_nuclight@kernblitz.nuclight.avtf.net>
	<4C77A267.10102@thelostparadise.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4C77A267.10102@thelostparadise.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: tcpdump -z
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2010 16:25:57 -0000

Pieter de Boer <pieter@thelostparadise.com> 2010-08-27:
> On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
> >This is a froward message from tcpdump-workers mail list:
> >=== 8<  ================>8 ===
> >$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
> >[sudo] password for user:
> >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> >65535 bytes
> >(generate some traffic on port 55555)
> >root@blaa ~/temp/tcpdump-4.1.1$ id
> >uid=0(root) gid=0(root) groups=0(root)
> >
> >Is this known and accepted? Could this option maybe be implemented
> >differently?
> 
> In my opinion, if you allow people to run tools as root using sudo, 
> you'd better make sure those tools don't allow attackers to easily gain 
> root access. In the case of tcpdump, the '-w' flag most probably already 
> allowed that, although '-z' is a bit more convenient to the attacker.
> 
> As a solution, configure your sudo correctly, only allowing specific 
> tcpdump command line options (or option sets) to be used.

Or use NOEXEC on the tcpdump spec in your sudo configuration, see
sudoers(5) for details.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/