From owner-freebsd-security@FreeBSD.ORG Tue Aug 24 20:15:03 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B9F91065679 for ; Tue, 24 Aug 2010 20:15:03 +0000 (UTC) (envelope-from freebsd@johnea.net) Received: from mail.johnea.net (johnea.net [70.167.123.7]) by mx1.freebsd.org (Postfix) with ESMTP id E63A18FC18 for ; Tue, 24 Aug 2010 20:15:02 +0000 (UTC) Received: from [192.168.100.239] (vhost.johnea.net [192.168.100.239]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.johnea.net (Postfix) with ESMTPSA id F13CB73F185E for ; Tue, 24 Aug 2010 12:57:31 -0700 (PDT) Message-ID: <4C74242B.9090207@johnea.net> Date: Tue, 24 Aug 2010 12:57:07 -0700 From: freebsd@johnea.net User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100617 Shredder/3.0.5 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: implementing SNI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2010 20:15:03 -0000 Hello out there, Implementing the SNI extension, to permit encrypted virtual web domain service, seems to be spreading. I hope I'm not too far OT in asking this list for advice on making this transition on FreeBSD. The first server to be migrated is currently running: 7.1-RELEASE-p13 with the base openssl 0.9.8.e and apache 2.2.13 Several options seem to be available: 1) upgrade the openssl in the existing 7.1 release 2) migrate to gnuTLS in the existing 7.1 release 3) upgrade freebsd to 8.1 with openssl 0.9.8n I'm pre-inclined towards upgrading the OS to 8.1. The primary concerns I've considered revolve around moving the installed ports through this upgrade with minimal downtime. Could anyone please offer advice on the openssl upgrade issues involved in such a migration? In addition to apache, this server is a pretty loaded toaster, also hosting DNS with bind9, virtual mail domains with postfix, courier-imap/authlib, and mysql, and shell accounts via openssh. A simpler question that I've been unable to resolve: Does the openssl of 8.1-RELEASE enable the TLS extensions, including SNI, by default? If I have to rebuild from source to enable this feature anyway, it takes some of the incentive out of migrating the OS now. Thanks for any insight or experience you're able to share! johnea From owner-freebsd-security@FreeBSD.ORG Tue Aug 24 20:46:59 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57B5F10656AD for ; Tue, 24 Aug 2010 20:46:59 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 031798FC0C for ; Tue, 24 Aug 2010 20:46:59 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 86F74A67A73; Wed, 25 Aug 2010 04:46:57 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id 0VmYwhohmueq; Wed, 25 Aug 2010 04:46:51 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 67AD9A67893; Wed, 25 Aug 2010 04:46:50 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:subject:references:in-reply-to:x-enigmail-version:openpgp: content-type:content-transfer-encoding; b=VN6gJYfQ9tV++yEt4UldKpL6QpRYGFYHfTUeLlIoKMn1APSQmtLnv8dlExyfKeXRn dingUE241Sn1YmC2yhCGw== Message-ID: <4C742FB5.9030503@delphij.net> Date: Tue, 24 Aug 2010 13:46:45 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100721 Thunderbird/3.0.6 ThunderBrowse/3.3.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4C74242B.9090207@johnea.net> In-Reply-To: <4C74242B.9090207@johnea.net> X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: implementing SNI X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2010 20:46:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/08/24 12:57, freebsd@johnea.net wrote: [...] > A simpler question that I've been unable to resolve: Does the openssl of > 8.1-RELEASE enable the TLS extensions, including SNI, by default? If I Yes. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJMdC+1AAoJEATO+BI/yjfB4j0IAIATQIxzpsMnTqF3mm+f5LTZ NXS8LE465KxzxH1ebbDEyGVNhe3w40PXipZArYlhKP+s4z0FXLyi6SZRcCf4/vpM AF3+VJL465twk9Grzeko9WyNk2NS5Q8XxagCR6FRkGeP4ogWVPrbBGc8PE3BzO2d 3jOs1XSv3pe99qVvC4nF5tSSMajWMZkrlZUFB/d3AsTSrcKlE2qqRN8w5xI/SNVP mXFQ36dazA/ecmB6EvNrg+CiLscDDrLIQsPkqqgZ6RZzPUr0Wg/suVn8SMucarvo D9HafQNfOGpQklvQjLmCNiQtmPh/eV/e9O5EJJ+I91dT6q9cB1ZVmAgSHkAJgvU= =ej/j -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 08:48:05 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83E351065672 for ; Fri, 27 Aug 2010 08:48:05 +0000 (UTC) (envelope-from freebsd-security@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 08E4E8FC19 for ; Fri, 27 Aug 2010 08:48:04 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OouMu-0008J8-N3 for freebsd-security@freebsd.org; Fri, 27 Aug 2010 10:33:00 +0200 Received: from nuclight.avtf.net ([217.29.94.29]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 27 Aug 2010 10:33:00 +0200 Received: from vadim_nuclight by nuclight.avtf.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 27 Aug 2010 10:33:00 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-security@freebsd.org From: Vadim Goncharov Date: Fri, 27 Aug 2010 08:32:50 +0000 (UTC) Organization: Nuclear Lightning @ Tomsk, TPU AVTF Hostel Lines: 58 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: nuclight.avtf.net X-Comment-To: All User-Agent: slrn/0.9.9p1 (FreeBSD) X-Mailman-Approved-At: Fri, 27 Aug 2010 11:13:24 +0000 Subject: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vadim_nuclight@mail.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 08:48:05 -0000 Hi, This is a froward message from tcpdump-workers mail list: === 8< ================ >8 === From: ef Subject: tcpdump -z: command execution Date: Fri, 27 Aug 2010 09:33:48 +0200 To: tcpdump-workers@lists.tcpdump.org Hello, Thx for tcpdump, very valuable tool! Was looking at the new version of tcpdump a few days ago and saw this option: " -z Used in conjunction with the -C or -G options, this will make tcpdump run " command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2. Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process. And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want. " I think there are many environments that restrict users but give access to tcpdump via sudo. With this option tcpdump can execute any command: $ ./tcpdump -V tcpdump version 4.1.1 $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 [sudo] password for user: tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes (generate some traffic on port 55555) root@blaa ~/temp/tcpdump-4.1.1$ id uid=0(root) gid=0(root) groups=0(root) $ cat test.sh: #!/bin/bash /bin/bash Is this known and accepted? Could this option maybe be implemented differently? Regards, tazo === 8< ================ >8 === -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight] From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 11:33:25 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F3A510656C4 for ; Fri, 27 Aug 2010 11:33:25 +0000 (UTC) (envelope-from pieter@thelostparadise.com) Received: from mail.thelostparadise.com (router.thelostparadise.com [IPv6:2a02:898:0:30::30:1]) by mx1.freebsd.org (Postfix) with ESMTP id B9BB48FC0A for ; Fri, 27 Aug 2010 11:33:24 +0000 (UTC) Received: by mail.thelostparadise.com (Postfix, from userid 127) id 4F2CA73061; Fri, 27 Aug 2010 13:33:23 +0200 (CEST) Received: from localhost by mail.thelostparadise.com (Postfix) with ESMTP id 0378F73038; Fri, 27 Aug 2010 13:33:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=thelostparadise.com; s=thelostparadise; t=1282908790; bh=Dut+pgaP79G4VPWOP213RbHSwqg=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=mpnO6juRWJK1 ZJWdrAxFWOOCNP68cZhbl3QulEg5FodQGcHDag8UyACVeG23pW0l7SGapvpTYpabs8x +oieU6J2e/ly6d5a9q1phozS9UvxhGln50FsFJ9IIHOfpRgxH8X4PnZ49wmwuLmRhgM K8U4T0VZBzebLRPqmkFW8C03s= Message-ID: <4C77A267.10102@thelostparadise.com> Date: Fri, 27 Aug 2010 13:32:55 +0200 From: Pieter de Boer MIME-Version: 1.0 To: vadim_nuclight@mail.ru References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on aberdeen.thelostparadise.com X-Mailman-Approved-At: Fri, 27 Aug 2010 11:57:40 +0000 Cc: freebsd-security@freebsd.org Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 11:33:25 -0000 On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > This is a froward message from tcpdump-workers mail list: > === 8< ================>8 === > $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 > [sudo] password for user: > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size > 65535 bytes > (generate some traffic on port 55555) > root@blaa ~/temp/tcpdump-4.1.1$ id > uid=0(root) gid=0(root) groups=0(root) > > Is this known and accepted? Could this option maybe be implemented > differently? In my opinion, if you allow people to run tools as root using sudo, you'd better make sure those tools don't allow attackers to easily gain root access. In the case of tcpdump, the '-w' flag most probably already allowed that, although '-z' is a bit more convenient to the attacker. As a solution, configure your sudo correctly, only allowing specific tcpdump command line options (or option sets) to be used. -- Pieter From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 13:30:36 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC4F710656AA for ; Fri, 27 Aug 2010 13:30:36 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6AD048FC0A for ; Fri, 27 Aug 2010 13:30:36 +0000 (UTC) Received: by vws7 with SMTP id 7so3266873vws.13 for ; Fri, 27 Aug 2010 06:30:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=DRhyvt4HM8I1yYKdQmmkxJQSJEcWgqJO9d8WKUk1MNk=; b=jjR3hB4btD/4sW3Z/3ZdURHm1M9pmlgFkishQfpE7GhWR5kKKzSmI78s+0af4kSm41 MFX1bLJBS08E/+7pDup9NDQx1cjlfqAdYxpcBXcbwQS98fYgDSjCHAxVF/b2xQ3nFq5Z 0iSY6sD8VSuNHydCqjcbq96/8DP2zjWMz1/zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=uGV698PK3Wws1RO8CCpmktwm6qHpckNQfnWVPducWbpbv43sGSKRIQ+KjDTNIe/1Ca 7+nc0agxZJqNpAa8AZIfGAEmLc9OPJ+X7K6AiaLuyjKys6xr1JRW+tPYjGCPmbKy5gtc V1QQKCszGNFTflCabk8yeUtNkJkcT+6u+M3gw= MIME-Version: 1.0 Received: by 10.220.61.199 with SMTP id u7mr545019vch.0.1282914163766; Fri, 27 Aug 2010 06:02:43 -0700 (PDT) Sender: andy.kosela@gmail.com Received: by 10.220.86.205 with HTTP; Fri, 27 Aug 2010 06:02:43 -0700 (PDT) In-Reply-To: <4C77A267.10102@thelostparadise.com> References: <4C77A267.10102@thelostparadise.com> Date: Fri, 27 Aug 2010 15:02:43 +0200 X-Google-Sender-Auth: q3WPmvYctYfR0BBZDr_KcMt6HAI Message-ID: From: Andy Kosela To: Pieter de Boer Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 13:30:36 -0000 On Fri, Aug 27, 2010 at 1:32 PM, Pieter de Boer wrote: > On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > >> This is a froward message from tcpdump-workers mail list: >> =3D=3D=3D 8< =A0=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>8 =3D= =3D=3D >> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 >> [sudo] password for user: >> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture >> size >> 65535 bytes >> (generate some traffic on port 55555) >> root@blaa ~/temp/tcpdump-4.1.1$ id >> uid=3D0(root) gid=3D0(root) groups=3D0(root) >> >> Is this known and accepted? Could this option maybe be implemented >> differently? > > In my opinion, if you allow people to run tools as root using sudo, you'd > better make sure those tools don't allow attackers to easily gain root > access. In the case of tcpdump, the '-w' flag most probably already allow= ed > that, although '-z' is a bit more convenient to the attacker. > > As a solution, configure your sudo correctly, only allowing specific tcpd= ump > command line options (or option sets) to be used. > If you care about security I would definetly dump sudo(8) in the first plac= e... Andy From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 14:10:40 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F01F106564A for ; Fri, 27 Aug 2010 14:10:40 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id C5CE98FC1D for ; Fri, 27 Aug 2010 14:10:39 +0000 (UTC) Received: from www.terrorteam.de (localhost [127.0.0.1]) by crivens.kernel32.de (Postfix) with ESMTP id 99254B03B9; Fri, 27 Aug 2010 15:53:54 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Date: Fri, 27 Aug 2010 14:53:54 +0100 From: Marian Hettwer To: Andy Kosela In-Reply-To: References: <4C77A267.10102@thelostparadise.com> Message-ID: <5d88fc9506514cabc7390e66a1f9872f@localhost> X-Sender: mh@kernel32.de User-Agent: RoundCube Webmail/0.1-rc2 Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org, Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 14:10:40 -0000 On Fri, 27 Aug 2010 15:02:43 +0200, Andy Kosela wrote: > > If you care about security I would definetly dump sudo(8) in the > first place... > Why is that? I'd like to hear some good reasons why one should not use sudo(8) if one's interested in security. Quite the opposite is true, imo. So... hej, do you have facts to backup that claim? I'd be really interested! ./Marian From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 14:27:08 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4ADF110656A8 for ; Fri, 27 Aug 2010 14:27:08 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1B6328FC1F for ; Fri, 27 Aug 2010 14:27:07 +0000 (UTC) Received: by pvg4 with SMTP id 4so1268530pvg.13 for ; Fri, 27 Aug 2010 07:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=shAv/ILG1qlAu37oqdGIz/YAYSBry60DcNAIh9j/Oy0=; b=cdlsLrcS7iYDr2ytt1cR+fji5s6aD4gXaZf/yHjKgcYhgAPJSLDu2G2e1o+WwprAmn JngdN0AS6JmizbhN/v27YbmUJVyRkv9y8mI0wgqLe/pZEQgVpdf68aZE3Pc/StOIxW4j 3YeCB+OPDE202yRn5Oc0lmYk4oSE0e0xsPBVo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=QoXVY3neMMJ1A2Din2mhS4av/kaQWRAbrXlnnHHDtRMTUnYd2gvPNqDb/Vz+rnFJMk R3sGyGP2/IVLNiwePIqGEY+4JJaA4OHcBQAd2f+oLWdHYa3jtUqcTsV11vH4ZVnzoAia ulQCWzYJV7MHXRq3vrUzQr1O1C9S7aTVgRYRs= MIME-Version: 1.0 Received: by 10.142.147.7 with SMTP id u7mr1218264wfd.218.1282919227391; Fri, 27 Aug 2010 07:27:07 -0700 (PDT) Received: by 10.231.36.74 with HTTP; Fri, 27 Aug 2010 07:27:07 -0700 (PDT) In-Reply-To: <5d88fc9506514cabc7390e66a1f9872f@localhost> References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Date: Fri, 27 Aug 2010 15:27:07 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Marian Hettwer Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org, Andy Kosela , Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 14:27:08 -0000 Well to be honest i don't see any case when i want to give sudo+tcpdump access to any user on my box. And those who are admins/roots anyway the "su -" just works perfectly and they can run tcpdump. IMHO I. On Fri, Aug 27, 2010 at 2:53 PM, Marian Hettwer wrote: > On Fri, 27 Aug 2010 15:02:43 +0200, Andy Kosela > wrote: > > > > > If you care about security I would definetly dump sudo(8) in the > > first place... > > > Why is that? I'd like to hear some good reasons why one should not use > sudo(8) if one's interested in security. > > Quite the opposite is true, imo. > > So... hej, do you have facts to backup that claim? I'd be really > interested! > > > ./Marian > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > -- the sun shines for all http://l1xl1x.blogspot.com From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 14:31:15 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F48010656A5 for ; Fri, 27 Aug 2010 14:31:15 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (router.thelostparadise.com [IPv6:2a02:898:0:30::30:1]) by mx1.freebsd.org (Postfix) with ESMTP id 801DC8FC1B for ; Fri, 27 Aug 2010 14:31:14 +0000 (UTC) Received: by mail.thelostparadise.com (Postfix, from userid 127) id 8AC6673061; Fri, 27 Aug 2010 16:31:13 +0200 (CEST) Received: from localhost by mail.thelostparadise.com (Postfix) with ESMTP id 6F3C273038; Fri, 27 Aug 2010 16:31:11 +0200 (CEST) Message-ID: <4C77CC2E.4030408@thedarkside.nl> Date: Fri, 27 Aug 2010 16:31:10 +0200 From: Pieter de Boer MIME-Version: 1.0 To: =?UTF-8?B?SXN0dsOhbg==?= References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_40,RDNS_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on aberdeen.thelostparadise.com Cc: freebsd-security@freebsd.org Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 14:31:15 -0000 On 08/27/2010 04:27 PM, István wrote: > Well to be honest i don't see any case when i want to give sudo+tcpdump > access to any user on my box. And those who are admins/roots anyway the "su > -" just works perfectly and they can run tcpdump. > I simply change the permissions on /dev/bpf* so that some mortal users can run tcpdump directly. It isn't as granular as a well-configured sudo, but worksforme. -- Pieter From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 14:32:21 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8736310656AB for ; Fri, 27 Aug 2010 14:32:21 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 44C488FC2B for ; Fri, 27 Aug 2010 14:32:21 +0000 (UTC) Received: from www.terrorteam.de (localhost [127.0.0.1]) by crivens.kernel32.de (Postfix) with ESMTP id 16D3CB03B9; Fri, 27 Aug 2010 16:32:19 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Date: Fri, 27 Aug 2010 15:32:18 +0100 From: Marian Hettwer To: =?UTF-8?Q?Istv=C3=A1n?= In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Message-ID: X-Sender: mh@kernel32.de User-Agent: RoundCube Webmail/0.1-rc2 Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org, Andy Kosela , Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 14:32:21 -0000 On Fri, 27 Aug 2010 15:27:07 +0100, István wrote: > Well to be honest i don't see any case when i want to give sudo+tcpdump > access to any user on my box. And those who are admins/roots anyway the "su > -" just works perfectly and they can run tcpdump. > Well, that wasn't an answer to my question or the claim of Andy. In fact, if you need to give access to some root-only binaries to a normal user, sudo(8) is the way to go. With "su -" you would allow full root-access, even though you might just want to allow specific commands to an unprivileged user. so. ehm. no! In fact, I would suggest to disable root, so that su - doesn't work at all. ./Marian From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 16:25:57 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9E101065694 for ; Fri, 27 Aug 2010 16:25:57 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch [IPv6:2001:1620:98f:face::26]) by mx1.freebsd.org (Postfix) with ESMTP id 51AAC8FC20 for ; Fri, 27 Aug 2010 16:25:57 +0000 (UTC) Received: from roe (ssh-from [213.144.130.143]) by calvin.ustdmz.roe.ch (envelope-from ) with LOCAL id 1Op1ka-0004mJ-2O for freebsd-security@freebsd.org; Fri, 27 Aug 2010 18:25:56 +0200 Date: Fri, 27 Aug 2010 18:25:56 +0200 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Message-ID: <20100827162556.GB14492@calvin.ustdmz.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <4C77A267.10102@thelostparadise.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C77A267.10102@thelostparadise.com> User-Agent: Mutt/1.4.2.3i Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 16:25:57 -0000 Pieter de Boer 2010-08-27: > On 08/27/2010 10:32 AM, Vadim Goncharov wrote: > >This is a froward message from tcpdump-workers mail list: > >=== 8< ================>8 === > >$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555 > >[sudo] password for user: > >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size > >65535 bytes > >(generate some traffic on port 55555) > >root@blaa ~/temp/tcpdump-4.1.1$ id > >uid=0(root) gid=0(root) groups=0(root) > > > >Is this known and accepted? Could this option maybe be implemented > >differently? > > In my opinion, if you allow people to run tools as root using sudo, > you'd better make sure those tools don't allow attackers to easily gain > root access. In the case of tcpdump, the '-w' flag most probably already > allowed that, although '-z' is a bit more convenient to the attacker. > > As a solution, configure your sudo correctly, only allowing specific > tcpdump command line options (or option sets) to be used. Or use NOEXEC on the tcpdump spec in your sudo configuration, see sudoers(5) for details. -- Daniel Roethlisberger http://daniel.roe.ch/ From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 16:38:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95F1F1065694 for ; Fri, 27 Aug 2010 16:38:17 +0000 (UTC) (envelope-from mh@kernel32.de) Received: from crivens.kernel32.de (crivens.asm68k.org [81.169.171.191]) by mx1.freebsd.org (Postfix) with ESMTP id 5535C8FC13 for ; Fri, 27 Aug 2010 16:38:17 +0000 (UTC) Received: from www.terrorteam.de (localhost [127.0.0.1]) by crivens.kernel32.de (Postfix) with ESMTP id E50DDB03B9; Fri, 27 Aug 2010 18:38:14 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Date: Fri, 27 Aug 2010 17:38:14 +0100 From: Marian Hettwer To: Aldis Berjoza In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Message-ID: <2d1a9e69fe9c17161df35fd248a40882@localhost> X-Sender: mh@kernel32.de User-Agent: RoundCube Webmail/0.1-rc2 Cc: Andy Kosela , Pieter, vadim_nuclight@mail.ru, freebsd-security@freebsd.org, de Boer , =?UTF-8?Q?Istv=C3=A1n?= Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 16:38:17 -0000 On Fri, 27 Aug 2010 19:20:57 +0300, "Aldis Berjoza" wrote: > On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer wrote: > >> On Fri, 27 Aug 2010 15:27:07 +0100, István wrote: >> >>> Well to be honest i don't see any case when i want to give sudo+tcpdump >>> access to any user on my box. And those who are admins/roots anyway the >> "su >>> -" just works perfectly and they can run tcpdump. >>> >> Well, that wasn't an answer to my question or the claim of Andy. >> In fact, if you need to give access to some root-only binaries to a >> normal user, sudo(8) is the way to go. >> With "su -" you would allow full root-access, even though you might >> just want to allow specific commands to an unprivileged user. >> >> so. ehm. no! >> In fact, I would suggest to disable root, so that su - doesn't work at >> all. >> >> ./Marian > > Ye, and once sudo is broken (somehow, for whatever reason) you have > lot's of fun (especially on servers) :D Well, yeah, if it's up to me, I'd like to see sudo in BASE, as OpenBSD does it :) ./Marian From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 16:39:34 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 404D81065672 for ; Fri, 27 Aug 2010 16:39:34 +0000 (UTC) (envelope-from aldis@bsdroot.lv) Received: from root.bsdroot.lv (mpe-11-155.mpe.lv [83.241.11.155]) by mx1.freebsd.org (Postfix) with ESMTP id 965808FC19 for ; Fri, 27 Aug 2010 16:39:33 +0000 (UTC) Received: from root.bsdroot.lv (root.bsdroot.lv [83.241.11.155]) by root.bsdroot.lv (Postfix) with ESMTP id 7F7893ADF; Fri, 27 Aug 2010 19:20:58 +0300 (EEST) Received: from dekstop.pc (mpe-11-135.mpe.lv [83.241.11.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by root.bsdroot.lv (Postfix) with ESMTPSA id 212683ADD; Fri, 27 Aug 2010 19:20:58 +0300 (EEST) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: =?utf-8?Q?Istv=C3=A1n?= , "Marian Hettwer" References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Date: Fri, 27 Aug 2010 19:20:57 +0300 MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable From: "Aldis Berjoza" Message-ID: In-Reply-To: User-Agent: Opera Mail/10.61 (FreeBSD) X-Virus-Scanned: ClamAV using ClamSMTP Cc: vadim_nuclight@mail.ru, freebsd-security@freebsd.org, Andy Kosela , Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 16:39:34 -0000 On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer wrot= e: > On Fri, 27 Aug 2010 15:27:07 +0100, Istv=C3=A1n wr= ote: > >> Well to be honest i don't see any case when i want to give sudo+tcpdu= mp >> access to any user on my box. And those who are admins/roots anyway t= he = >> "su >> -" just works perfectly and they can run tcpdump. >> > Well, that wasn't an answer to my question or the claim of Andy. > In fact, if you need to give access to some root-only binaries to a > normal user, sudo(8) is the way to go. > With "su -" you would allow full root-access, even though you might > just want to allow specific commands to an unprivileged user. > > so. ehm. no! > In fact, I would suggest to disable root, so that su - doesn't work at= > all. > > ./Marian Ye, and once sudo is broken (somehow, for whatever reason) you have lot'= s = of fun (especially on servers) :D -- = Aldis Berjoza From owner-freebsd-security@FreeBSD.ORG Fri Aug 27 17:44:16 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1273106566C for ; Fri, 27 Aug 2010 17:44:16 +0000 (UTC) (envelope-from andy.kosela@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5F0A88FC16 for ; Fri, 27 Aug 2010 17:44:16 +0000 (UTC) Received: by vws7 with SMTP id 7so3586168vws.13 for ; Fri, 27 Aug 2010 10:44:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=jCAvlmBwBbS6vzUX+KA1pL82AlZwkgz6DKEh3L/lzWM=; b=ATLm5OZy4A6fY5pqxYTc0THYuPoFPq5Vy4UhiWMOboOBOdUGS6rB5zZWrv7Ulc14JA 2gxzFI/CRGzl38oz+x4l4UTEqOllRVWiGeAxibkJOC7DuoPWHWnPgvg7TPSzoy0+1/GO ywI7hEJ8mdUOjCPEGGNMuQPTIj0OwgrSs2/Xk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=aFLVbTTXUbXBTj+tFyquv834UUj6I+cwwSPNXBM31uAWZ255+7TAwLkp0RzOmJMqbo qYjm//D/oNK3lVERuMqkZczWH6pzXAjJXi+OWHI9esVtPLkbWlyQS9Qr3SbtmmX0FSl1 EwZZJzAC62vg6uAB9NTICOd/91sohPoQ47se4= MIME-Version: 1.0 Received: by 10.220.75.200 with SMTP id z8mr770846vcj.57.1282931055614; Fri, 27 Aug 2010 10:44:15 -0700 (PDT) Sender: andy.kosela@gmail.com Received: by 10.220.164.19 with HTTP; Fri, 27 Aug 2010 10:44:15 -0700 (PDT) In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Date: Fri, 27 Aug 2010 19:44:15 +0200 X-Google-Sender-Auth: eBvepYNjG_1Zaq5qeh3uJNWU9H4 Message-ID: From: Andy Kosela To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2010 17:44:16 -0000 On Fri, Aug 27, 2010 at 6:20 PM, Aldis Berjoza wrote: > On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer wrote: >> In fact, I would suggest to disable root, so that su - doesn't work at >> all. >> >> ./Marian > > Ye, and once sudo is broken (somehow, for whatever reason) you have lot's of > fun (especially on servers) :D Yes. Sudo(8) also just adds another complexity level to a very crucial UNIX authentication mechanisms. I would say that if any of your users need to run root-specific commands (including tcpdump(1)) then something is not right, and it's only a matter of time when you will be having some serious problems. I'm not even mentioning that sudo(8) like any other binary in the system is exploitable and it has a history of security holes (especially in the way it parses its configuration file). Anyway, discussion about including sudo(8) in the BASE comes back here about every five years or so, but as the general consensus is that a *correctly* configured sudo(8) is not that bad, it's not that good either for being a substitute for an overall solid security policy. Andy From owner-freebsd-security@FreeBSD.ORG Sat Aug 28 00:41:12 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5CC4D1065670 for ; Sat, 28 Aug 2010 00:41:12 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1BD4F8FC14 for ; Sat, 28 Aug 2010 00:41:11 +0000 (UTC) Received: by iwn36 with SMTP id 36so3502934iwn.13 for ; Fri, 27 Aug 2010 17:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=MBYdYJ2VLRUG1s0hqLHvZ0KtFJvxUya2eoz9PbwTrRw=; b=WcMpqdq1v6Q1goMPLCTn4QKTbKQ+3tMuGK/WJ55M+kPJkvzdT9IrzTzzp8hUd1GgK9 ERcZv6Kml/2Jr8sKjKXE67GQZalk/1lZqo7fC72nP91oPch6oYQF6r8HFbM8Mc8+st85 iVuwNdiFx7KetuVWU/D1fruzDPMgtbCUZkQwA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Z04yqdIWHtv3JTGfI/Ej1RyPkVkyfhhAlirEOVw+/3to+T8zAQNovvAkHk9uicrO8c O2mz2KIFDU9v91qZbL7x2NosE7E3MfF0u0wX35AGPzgx8jEYXd4KxiVVTRv7ifuWUS37 iurA64b1mTZp8A4Ahrt+6r6naUZV5BGa7+YZk= MIME-Version: 1.0 Received: by 10.231.30.68 with SMTP id t4mr1911447ibc.129.1282956070978; Fri, 27 Aug 2010 17:41:10 -0700 (PDT) Received: by 10.231.36.74 with HTTP; Fri, 27 Aug 2010 17:41:10 -0700 (PDT) In-Reply-To: References: <4C77A267.10102@thelostparadise.com> <5d88fc9506514cabc7390e66a1f9872f@localhost> Date: Sat, 28 Aug 2010 01:41:10 +0100 Message-ID: From: =?UTF-8?Q?Istv=C3=A1n?= To: Marian Hettwer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: vadim_nuclight , freebsd-security , Andy Kosela , Pieter de Boer Subject: Re: tcpdump -z X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2010 00:41:12 -0000 i know this attitude from previous experience when sysadmins are afraid of using root shell in general.using sudo is uncomfortable starting with this simple example: $ sudo cat /dev/null >/root/lol bash: /root/lol: Permission denied of course you can work around that but if you say this is efficient i think you are mad :) On Fri, Aug 27, 2010 at 3:32 PM, Marian Hettwer wrote: > On Fri, 27 Aug 2010 15:27:07 +0100, Istv=C3=A1n wrote= : > > > Well to be honest i don't see any case when i want to give sudo+tcpdump > > access to any user on my box. And those who are admins/roots anyway the > "su > > -" just works perfectly and they can run tcpdump. > > > Well, that wasn't an answer to my question or the claim of Andy. > In fact, if you need to give access to some root-only binaries to a > normal user, sudo(8) is the way to go. > With "su -" you would allow full root-access, even though you might > just want to allow specific commands to an unprivileged user. > > so. ehm. no! > In fact, I would suggest to disable root, so that su - doesn't work at > all. > > ./Marian > > --=20 the sun shines for all http://l1xl1x.blogspot.com