Date: Fri, 27 Aug 2010 18:25:56 +0200 From: Daniel Roethlisberger <daniel@roe.ch> To: freebsd-security@freebsd.org Subject: Re: tcpdump -z Message-ID: <20100827162556.GB14492@calvin.ustdmz.roe.ch> In-Reply-To: <4C77A267.10102@thelostparadise.com> References: <slrni7eu1h.21lb.vadim_nuclight@kernblitz.nuclight.avtf.net> <4C77A267.10102@thelostparadise.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Pieter de Boer <pieter@thelostparadise.com> 2010-08-27: > On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > >This is a froward message from tcpdump-workers mail list: > >=== 8< ================>8 === > >$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 > >[sudo] password for user: > >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size > >65535 bytes > >(generate some traffic on port 55555) > >root@blaa ~/temp/tcpdump-4.1.1$ id > >uid=0(root) gid=0(root) groups=0(root) > > > >Is this known and accepted? Could this option maybe be implemented > >differently? > > In my opinion, if you allow people to run tools as root using sudo, > you'd better make sure those tools don't allow attackers to easily gain > root access. In the case of tcpdump, the '-w' flag most probably already > allowed that, although '-z' is a bit more convenient to the attacker. > > As a solution, configure your sudo correctly, only allowing specific > tcpdump command line options (or option sets) to be used. Or use NOEXEC on the tcpdump spec in your sudo configuration, see sudoers(5) for details. -- Daniel Roethlisberger http://daniel.roe.ch/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100827162556.GB14492>