tcpdump -z
Daniel Roethlisberger
daniel at roe.ch
Fri Aug 27 16:25:57 UTC 2010
Pieter de Boer <pieter at thelostparadise.com> 2010-08-27:
> On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
> >This is a froward message from tcpdump-workers mail list:
> >=== 8< ================>8 ===
> >$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
> >[sudo] password for user:
> >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> >65535 bytes
> >(generate some traffic on port 55555)
> >root at blaa ~/temp/tcpdump-4.1.1$ id
> >uid=0(root) gid=0(root) groups=0(root)
> >
> >Is this known and accepted? Could this option maybe be implemented
> >differently?
>
> In my opinion, if you allow people to run tools as root using sudo,
> you'd better make sure those tools don't allow attackers to easily gain
> root access. In the case of tcpdump, the '-w' flag most probably already
> allowed that, although '-z' is a bit more convenient to the attacker.
>
> As a solution, configure your sudo correctly, only allowing specific
> tcpdump command line options (or option sets) to be used.
Or use NOEXEC on the tcpdump spec in your sudo configuration, see
sudoers(5) for details.
--
Daniel Roethlisberger
http://daniel.roe.ch/
More information about the freebsd-security
mailing list