On Sat, Apr 20, 2002 at 04:27:18PM -0600, Lyndon Nerenberg wrote:
> >>>>> "Crist" == Crist J Clark <[EMAIL PROTECTED]> writes:
>     Crist> OK. Now you've really lost me. What do ports have to do with
>     Crist> this?  Which ports? None of the sniffing programs I am aware
>     Crist> of use set{g,u}id bits. They rely on the permissions of the
>     Crist> user running them.
> Sorry -- keyboard and brain disconnect on my part.  What I was trying to
> get at was the need to run sniffers as root by default.  The fewer
> things that need to be run as root, the better (e.g. I don't want snort
> and trafdump running as root on my firewalls if I can avoid it).
> Programs like snort can attempt to lose uid-0 after opening the bpf
> device, but others like tcpdump do not.
> As David Wolfskill mentioned in a previous message, this idea is the
> same as how the operator group is used for dump.  kmem did the same
> thing for ps and top.

These are actually very different in that they are set{u,g}id commands
(well, ps(1) is not set{u,g}id anymore and is root:wheel owned). The
sniffing tools we've been discussing, and pretty much all of the ones
I've used, tcpdump(1), snort(8), nmap(1), etc., are not. When
tcpdump(1) or one of these ports is installed, there is no reason to
give it any special group ownership. The thing that determines whether
someone can sniff is the {u,g}id of the user executing the
command. The port's Makefile doesn't need to know anything about your
/etc/group; it just installs the file -r-xr-x-r-x root:wheel. The
local administrator simply needs to execute the simple commands I put
in my last mail to give a group sniffing powers. The files'
permissions and ownership are never changed.

Since the ports would really make no use of a preordained 'bpf' group,
I still don't see what purpose it really serves to add one. I really
hesitate to add groups and change default ownerships after seeing the
_steady_ stream of mail that the smmsp:smmsp ownership of
/var/spool/mqueue the sendmail(8) upgrade created.
Crist J. Clark                     |     [EMAIL PROTECTED]
                                   |     [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/    |     [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to