Date: Wed, 11 Dec 96 14:29:42 +0100 From: cracauer@wavehh.hanse.de (Martin Cracauer) To: freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) Message-ID: <9612111329.AA16058@wavehh.hanse.de> References: <199612110353.OAA21602@genesis.atrad.adelaide.edu.au> <199612110432.UAA10905@root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> What are people's feelings on enabling devices like bpf or snp >>> in the kernel on a public server? Obviously, had I not compiled bpf >>> into the shell and Web server kernels, this particular incident would >>> never have happened. However, I like to have access to tcpdump to >>> check for things like ping floods, and trafshow to see where bytes are >>> being sent. >> >>Evil evil evil. Definitely never on a public server; bpf lets you do >>lots more than just snoop, it makes it possible (easier) to spoof as >>well. As far as I understand, BPF in the kernel is only a risk when someone gets root rights, not? In that case, if you don't have BPF in the kernel the person in question could also ftp a new kernel and wait for the next reboot. What am I overlooking? What makes BPF dangerous as long as noone has root access to the machine? And in what way can BPF make spoofing easier? Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin_Cracauer@wavehh.hanse.de http://cracauer.cons.org Fax.: +4940 5228536 "As far as I'm concerned, if something is so complicated that you can't ex- plain it in 10 seconds, then it's probably not worth knowing anyway"- Calvin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9612111329.AA16058>