Date: Sun, 14 Jul 2002 03:06:13 +0000 From: Dragos Ruiu <dr@kyx.net> To: "Crist J. Clark" <cjc@FreeBSD.ORG>, "Crist J. Clark" <crist.clark@attbi.com>, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Message-ID: <200207140306.13058.dr@kyx.net> In-Reply-To: <20020714085734.GD56656@blossom.cjclark.org> References: <200207122046.g6CKk2tG099856@freefall.freebsd.org> <200207131731.g6DHVRs92032@lurza.secnetix.de> <20020714085734.GD56656@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Or as a workaround use snort. It's been heavily audited and has a much smaller and easier to debug decode engine. Save files off line and use ethereal if the minimal decode engine is insufficient. Run chrooted if feeling insecure still. (see man page and faq) cheers, --dr Sigh... and I thought tcpdump had been through the fires.... It's gonna wind up giving sendmail a run for the money=20 for the "Pit of Infinite Flaws" title :-). On July 14, 2002 08:57 am, Crist J. Clark wrote: > On Sat, Jul 13, 2002 at 07:31:27PM +0200, Oliver Fromme wrote: > > FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > > > [...] > > > IV. Workaround > > > > > > There is no workaround, other than not using tcpdump. > > > > Well, you can at least set up the system in a way so you > > don't have to run tcpdump as root: Create a special group, > > chgrp /dev/bpf* to that group and make them group-readable > > (writable is not required). Then add all users to that > > group which should be allowed to use tcpdump. > > tcpdump(8) can still be exploited to run abitrary code as that user. > > > An even better approach would be to create a pseudo user > > (similar to the nobody user) which is a member of the > > tcpdump group, and write a small wrapper script which > > uses /usr/bin/su to call tcpdump as that pseudo-user. > > > > Of course, that's only a quick workaround, not a solution. > > It's not really a workaround, it just mitigates the potential for > damage should the bug be exploited. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207140306.13058.dr>