Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Jul 2002 01:57:34 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump
Message-ID:  <20020714085734.GD56656@blossom.cjclark.org>
In-Reply-To: <200207131731.g6DHVRs92032@lurza.secnetix.de>
References:  <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote:
> FreeBSD Security Advisories <security-advisories@freebsd.org> wrote:
>  > [...]
>  > IV.  Workaround
>  > 
>  > There is no workaround, other than not using tcpdump.
> 
> Well, you can at least set up the system in a way so you
> don't have to run tcpdump as root:  Create a special group,
> chgrp /dev/bpf* to that group and make them group-readable
> (writable is not required).  Then add all users to that
> group which should be allowed to use tcpdump.

tcpdump(8) can still be exploited to run abitrary code as that user.

> An even better approach would be to create a pseudo user
> (similar to the nobody user) which is a member of the
> tcpdump group, and write a small wrapper script which
> uses /usr/bin/su to call tcpdump as that pseudo-user.
> 
> Of course, that's only a quick workaround, not a solution.

It's not really a workaround, it just mitigates the potential for
damage should the bug be exploited.

> On a related matter:  It would probably be a very good idea
> for tcpdump to drop priviledges right after opening the BPF
> device.

tcpdump(8) never has elevated privileges. It just runs as whoever
executes it. As you say, the way to run it at lower privileges is to
give a less privileged user read access to the bpf(4) devices.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020714085734.GD56656>