Not really comments on the specific patch, or its applicability to the issue at hand.
I'm a strong believer in defense in depth. Does a trench outside the wall stop all the attackers? No, but it does slow them down, and gives you a chance to regroup. Dropping privileges from root stops a wide range of script kiddy type attacks from causing much much more damage than they would otherwise. If you really don't believe in this, tell us where you run your web server and justify why its running it as root :) I agree that this does not stop a determined and resourceful hacker, it will however slow them down and possibly encourage them to seak a softer target. The primary source of most attacks I've seen lately are script kiddies, and if tcpdump was running as an unprivileged user it would limit the spread of damage on many systems (they would at least have to try a little). Just my $0.02. > > The big difference here was between "user not on my system" and "user > running arbitrary code on my system". What user the code is running as once > you get to that point is relatively unimportant, and on most systems it > won't take the user long to get root. Yes, if you have a well configured > and patched system, and practice good sysadmin hygiene, the separation will > be strong, but I'm talking about the majority of systems. And even if you > keep the user from getting root, most intruders are quite happy to get a > user shell -- they don't need root to set up an IRC bot or use your box as > a springboard to attack someone else. That's why, *practically* speaking, > the difference between root and joe user is not that big when it comes to > intrusions: what we want is to keep the potential intruder *off* the > system, period. > -- >-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney [EMAIL PROTECTED] <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=-> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
