Date: Sat, 13 Jul 2002 19:31:27 +0200 (CEST) From: Oliver Fromme <olli@secnetix.de> To: freebsd-security@FreeBSD.ORG, security-advisories@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:29.tcpdump Message-ID: <200207131731.g6DHVRs92032@lurza.secnetix.de> In-Reply-To: <200207122046.g6CKk2tG099856@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > [...] > IV. Workaround > > There is no workaround, other than not using tcpdump. Well, you can at least set up the system in a way so you don't have to run tcpdump as root: Create a special group, chgrp /dev/bpf* to that group and make them group-readable (writable is not required). Then add all users to that group which should be allowed to use tcpdump. An even better approach would be to create a pseudo user (similar to the nobody user) which is a member of the tcpdump group, and write a small wrapper script which uses /usr/bin/su to call tcpdump as that pseudo-user. Of course, that's only a quick workaround, not a solution. It wouldn't close any potentially exploitable holes, but it would make it a lot harder (maybe even impossible) for an attacker to actually do any damage that way. On a related matter: It would probably be a very good idea for tcpdump to drop priviledges right after opening the BPF device. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207131731.g6DHVRs92032>