From owner-freebsd-security Wed Dec 11 14:33:19 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA14504 for security-outgoing; Wed, 11 Dec 1996 14:33:19 -0800 (PST) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA14496 for ; Wed, 11 Dec 1996 14:33:16 -0800 (PST) Received: from irbs.irbs.com by agora.rdrop.com with smtp (Smail3.1.29.1 #17) id m0vXsGy-00093EC; Wed, 11 Dec 96 09:16 PST Received: (from jc@localhost) by irbs.irbs.com (8.8.4/8.8.4) id MAA09172; Wed, 11 Dec 1996 12:12:07 -0500 (EST) Message-ID: Date: Wed, 11 Dec 1996 12:12:06 -0500 From: jc@irbs.com (John Capo) To: freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) References: <199612110353.OAA21602@genesis.atrad.adelaide.edu.au> <199612110432.UAA10905@root.com> X-Mailer: Mutt 0.51 Mime-Version: 1.0 X-Organization: IRBS Engineering, (954) 792-9551 In-Reply-To: <199612110432.UAA10905@root.com>; from David Greenman on Dec 10, 1996 20:32:02 -0800 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Quoting David Greenman (dg@root.com): > > I made the mistake of putting bpf in freefall's kernel a long time ago and > forgot it was in there. Someone eventually took advantage of that and used it > to sniff passwords at Walnut Creek CDROM. This led to a serious break-in on > wcarchive. Needless to say, bpf is no longer in freefall's kernel. It was Are you saying that there is a way for a normal user to use bpf when permissions should prevent access? crw------- 1 root wheel 23, 0 Sep 13 17:34 /dev/bpf0 Or were the permissions wrong on freefall? John Capo