On Sat, 21 Feb 2004, Richard Bejtlich wrote: > Has anyone seen the OpenBSD work on privilege > separation for Tcpdump? I became aware of it from > this post: > > http://marc.theaimsgroup.com/?l=openbsd-cvs&m=107531986114887&w=2
I took a quick look at it, and I can't quite understand why they made it so complicated. The same patch also includes integration with their PF software for traffic fingerprinting purposes, so I guess that's one reason.. The current tcpdump just drops privileges before pretty much anything is done. Now looking at the code, maybe the privilege separation could be done even slightly earlier in the "pcap_open_live" branch, e.g., after pcap_open_live, but I haven't tested this. I guess it depends on whether pcap_set_datalink, pcap_snapshot (this one might be dangerous with root!) or pcap_lookupnet requires root privileges. This might be worth experimenting with. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
