I have a patch I can apply that does setuid() to _ethereal once the
capture device is actually opened.
As I said in the original posting:
As far as security goes, it goes without saying:
Dont run ethereal in capture/decode mode as root.
Capture with tcpdump to a file and read with ethereal as a non privileged
user.
You can even chown _ethereal /dev/bpf* if you are really inclined to run
it as
the primary capture device. Limit your captures to specific protocols you
need
and nothing else.
Most of the time that there are exploits, it happens to deal with specific
dissectors that you do not care about.
So, say if you only want to capture web traffic then do so.
ethereal -R "http"
Or limit it with capture filters to specific ports
ethereal port 80
My .2 cents
On Thu, 8 Sep 2005, Jakob Schlyter wrote:
On Thu, 8 Sep 2005, Matt Jibson wrote:
I believe that Ethereal has improved greatly since when it was removed from
ports.
surely, but has security improved? does it have privsep? until that has
changed, ethereal will not come back. sorry.
jakob
