OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Oliver Fromme (olli_at_secnetix.de)
Date: Sat Jul 13 2002 - 12:31:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    FreeBSD Security Advisories <security-advisoriesfreebsd.org> wrote:
    > [...]
    > IV. Workaround
    >
    > There is no workaround, other than not using tcpdump.

    Well, you can at least set up the system in a way so you
    don't have to run tcpdump as root: Create a special group,
    chgrp /dev/bpf* to that group and make them group-readable
    (writable is not required). Then add all users to that
    group which should be allowed to use tcpdump.

    An even better approach would be to create a pseudo user
    (similar to the nobody user) which is a member of the
    tcpdump group, and write a small wrapper script which
    uses /usr/bin/su to call tcpdump as that pseudo-user.

    Of course, that's only a quick workaround, not a solution.
    It wouldn't close any potentially exploitable holes, but it
    would make it a lot harder (maybe even impossible) for an
    attacker to actually do any damage that way.

    On a related matter: It would probably be a very good idea
    for tcpdump to drop priviledges right after opening the BPF
    device.

    Regards
       Oliver

    -- 
    Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
    Any opinions expressed in this message may be personal to the author
    and may not necessarily reflect the opinions of secnetix in any way.
    

    "All that we see or seem is just a dream within a dream" (E. A. Poe)

    To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message