Andrew Pimlott wrote:
On Tue, Jan 20, 2004 at 11:57:42PM -0500, Jefferson Ogata wrote:
But the unix
security model is based upon userids, so if you think access to an
unprivileged userid is "almost" the same as root, it seems
tantamount to calling unix security "useless".

Not useless, just runs a distant second to keeping the bozo off your system in the first place.


Anyway, can we at least agree that giving the attacker nobody is
a little better than giving him root?  :-)

Sure. That's perhaps a nicer way of saying what I said before: almost as bad. Half-empty/half-full, etc.


I agree that a dedicated user is better.  However, I still think
that defaulting to nobody will protect people (to some degree) on
most systems, and I think the risk of nobody being a bad choice is
low (certainly it can't be worse than remaining root).  If nobody
doesn't exist, oh well.

You could also just pick an arbitrary numeric uid if nobody fails. So maybe try getpwnam("pcap") first, then getpwnam("nobody"), then find a uid > 1024 that is unused for your last-ditch default.


There's a big problem domain you're not fully treating, which is what happens when one process captures and writes to a pcap file, and someone else comes along and runs a protocol dissector on the saved file later. First, your patch is dropping privileges before opening the pcap file, which looks out of order to me.

This is important so that a setuid tcpdump (I can't imagine why anyone would do that, but it seems to be supported in the code) can't open root trace files, as mentioned in the existing comments. I didn't change this from the old behavior.

But then how can root read his own trace file when it's mode 0600? I think if ruid == euid you want to open the trace file before dropping privileges.


--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]

Reply via email to