From owner-freebsd-security Sat Jul 13 10:31:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA6537B400; Sat, 13 Jul 2002 10:31:30 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9285243E64; Sat, 13 Jul 2002 10:31:29 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g6DHVRs92032; Sat, 13 Jul 2002 19:31:27 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Sat, 13 Jul 2002 19:31:27 +0200 (CEST) Message-Id: <200207131731.g6DHVRs92032@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG, security-advisories@FreeBSD.ORG Reply-To: freebsd-security@FreeBSD.ORG, security-advisories@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump In-Reply-To: <200207122046.g6CKk2tG099856@freefall.freebsd.org> X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD Security Advisories wrote: > [...] > IV. Workaround > > There is no workaround, other than not using tcpdump. Well, you can at least set up the system in a way so you don't have to run tcpdump as root: Create a special group, chgrp /dev/bpf* to that group and make them group-readable (writable is not required). Then add all users to that group which should be allowed to use tcpdump. An even better approach would be to create a pseudo user (similar to the nobody user) which is a member of the tcpdump group, and write a small wrapper script which uses /usr/bin/su to call tcpdump as that pseudo-user. Of course, that's only a quick workaround, not a solution. It wouldn't close any potentially exploitable holes, but it would make it a lot harder (maybe even impossible) for an attacker to actually do any damage that way. On a related matter: It would probably be a very good idea for tcpdump to drop priviledges right after opening the BPF device. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message