Re: [tcpdump-workers] TCPdump Security Hack neede

Mon, 20 Nov 2000 07:41:01 -0800 


>>>>> Adam Kirby writes:

Adam> I am looking at running this setuid root with as many of the
Adam> obvious security restrictions imposed as possible.

Here is my patch against. I think it should go smoothly into the
current tcpdump version. I have additional patches for some output
drivers that prevent some information from being printed if the
restricted mode flag is set. But I first need to get the global
restricted mode flag into place. Any changes this time?

/js


Index: interface.h
===================================================================
RCS file: /tcpdump/master/tcpdump/interface.h,v
retrieving revision 1.144
diff -u -r1.144 interface.h
--- interface.h 2000/11/02 02:18:30     1.144
+++ interface.h 2000/11/20 15:31:14
@@ -96,6 +96,8 @@
 extern int xflag;              /* print packet in hex */
 extern int Xflag;              /* print packet in hex/ascii */
 
+extern int restricted;         /* flag indicating restricted mode */
+
 extern char *espsecret;
 
 extern int packettype;         /* as specified by -T */
Index: tcpdump.c
===================================================================
RCS file: /tcpdump/master/tcpdump/tcpdump.c,v
retrieving revision 1.155
diff -u -r1.155 tcpdump.c
--- tcpdump.c   2000/10/12 03:57:13     1.155
+++ tcpdump.c   2000/11/20 15:31:15
@@ -77,6 +77,8 @@
 int xflag;                     /* print packet in hex */
 int Xflag;                     /* print packet in ascii as well as hex */
 
+int restricted = 0;            /* flag indicating restricted mode */
+
 char *espsecret = NULL;                /* ESP secret key */
 
 int packettype;
@@ -168,6 +170,13 @@
 #ifdef LIBSMI
        smiInit("tcpdump");
 #endif
+
+       if (getuid() != geteuid() && ! geteuid() && getuid()) {
+           warning("using restricted mode for non-root users");
+           restricted++;
+           pflag++;
+       }
+
        
        opterr = 0;
        while (
@@ -307,14 +316,20 @@
                        break;
 
                case 'w':
+                       if (restricted)
+                               error("must be root to use -%c option", op);
                        WFileName = optarg;
                        break;
 
                case 'x':
+                       if (restricted)
+                               error("must be root to use -%c option", op);
                        ++xflag;
                        break;
 
                case 'X':
+                       if (restricted)
+                               error("must be root to use -%c option", op);
                        ++xflag;
                        ++Xflag;
                        break;
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe

Reply via email to