Every once in a while there is a security alert about tcpdump being hackable through one of the many protocol analyzers. Couldn't these be prevented simply by unconditionally dropping privileges as soon as the interface is opened?
The following is a simple and briefly tested (on a Debian GNU/Linux system) patch I wrote to do this. I decided to try dropping back to nobody (whether we were originally run by root or another user), since this should give an attacker the least capacity for damage (at least on a standard unix system). Obviously, this could break anything that assumes we are running as the original user later, but I can't imagine why anything would do that. If it is a problem, there can be a flag to disable this patch, but I think the safest behavior should be the default. Andrew --- tcpdump.c.orig 2003-12-17 20:22:57.000000000 -0500 +++ tcpdump.c 2004-01-20 12:50:12.000000000 -0500 @@ -57,6 +57,7 @@ #endif /* WIN32 */ #include <pcap.h> +#include <pwd.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> @@ -105,6 +106,7 @@ int32_t thiszone; /* seconds offset from gmt to local time */ /* Forwards */ +static void drop_privileges(); static RETSIGTYPE cleanup(int); static void usage(void) __attribute__((noreturn)); static void show_dlts_and_exit(pcap_t *pd) __attribute__((noreturn)); @@ -618,7 +620,6 @@ int dlt; const char *dlt_name; -#ifndef WIN32 /* * We don't need network access, so relinquish any set-UID * or set-GID privileges we have (if any). @@ -628,8 +629,8 @@ * people's trace files (especially if we're set-UID * root). */ - setuid(getuid()); -#endif /* WIN32 */ + drop_privileges(); + pd = pcap_open_offline(RFileName, ebuf); if (pd == NULL) error("%s", ebuf); @@ -712,12 +713,8 @@ netmask = 0; warning("%s", ebuf); } - /* - * Let user own process after socket has been opened. - */ -#ifndef WIN32 - setuid(getuid()); -#endif /* WIN32 */ + + drop_privileges(); } if (infile) cmdbuf = read_infile(infile); @@ -834,6 +831,26 @@ exit(status == -1 ? 1 : 0); } +/* + * Since we are processing untrusted data, drop privileges to mitigate the + * risk due to bugs in analysis code. + */ +static void +drop_privileges() +{ +#ifndef WIN32 + struct passwd *nobody; + + /* Attempt to drop back to nobody. This is safest. */ + nobody = getpwnam("nobody"); + if (nobody && nobody->pw_uid) + setuid(nobody->pw_uid); + /* If there is no nobody (?!), at least drop back to original uid */ + else + setuid(getuid()); +#endif /* WIN32 */ +} + /* make a clean exit on interrupts */ static RETSIGTYPE cleanup(int signo _U_) - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]