Date: Fri, 27 Aug 2010 15:02:43 +0200 From: Andy Kosela <akosela@andykosela.com> To: Pieter de Boer <pieter@thelostparadise.com> Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org Subject: Re: tcpdump -z Message-ID: <AANLkTim1frPvChMJfDLnHe6LW3HnR=AWeYcCsf-tx3V-@mail.gmail.com> In-Reply-To: <4C77A267.10102@thelostparadise.com> References: <slrni7eu1h.21lb.vadim_nuclight@kernblitz.nuclight.avtf.net> <4C77A267.10102@thelostparadise.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 27, 2010 at 1:32 PM, Pieter de Boer <pieter@thelostparadise.com> wrote: > On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > >> This is a froward message from tcpdump-workers mail list: >> =3D=3D=3D 8< =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>8 =3D= =3D=3D >> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 >> [sudo] password for user: >> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture >> size >> 65535 bytes >> (generate some traffic on port 55555) >> root@blaa ~/temp/tcpdump-4.1.1$ id >> uid=3D0(root) gid=3D0(root) groups=3D0(root) >> >> Is this known and accepted? Could this option maybe be implemented >> differently? > > In my opinion, if you allow people to run tools as root using sudo, you'd > better make sure those tools don't allow attackers to easily gain root > access. In the case of tcpdump, the '-w' flag most probably already allow= ed > that, although '-z' is a bit more convenient to the attacker. > > As a solution, configure your sudo correctly, only allowing specific tcpd= ump > command line options (or option sets) to be used. > If you care about security I would definetly dump sudo(8) in the first plac= e... Andy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTim1frPvChMJfDLnHe6LW3HnR=AWeYcCsf-tx3V->