tcpdump -z

[Daniel Roethlisberger]

Pieter de Boer <pieter at thelostparadise.com> 2010-08-27:
> On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
> >This is a froward message from tcpdump-workers mail list:
> >=== 8<  ================>8 ===
> >$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
> >[sudo] password for user:
> >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> >65535 bytes
> >(generate some traffic on port 55555)
> >root at blaa ~/temp/tcpdump-4.1.1$ id
> >uid=0(root) gid=0(root) groups=0(root)
> >
> >Is this known and accepted? Could this option maybe be implemented
> >differently?
> 
> In my opinion, if you allow people to run tools as root using sudo, 
> you'd better make sure those tools don't allow attackers to easily gain 
> root access. In the case of tcpdump, the '-w' flag most probably already 
> allowed that, although '-z' is a bit more convenient to the attacker.
> 
> As a solution, configure your sudo correctly, only allowing specific 
> tcpdump command line options (or option sets) to be used.

Or use NOEXEC on the tcpdump spec in your sudo configuration, see
sudoers(5) for details.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/