Pekka Savola wrote:
Current tcpdump already implements everything except chroot AFAIK.
Yeah, everything except the one thing that might actually help.
Chroot would probably be a bit more difficult, because it might be difficult to agree to a directory to chroot to; there would have to be a command-line/compile-time toggle -- and when reading/writing capture files, you'd have to do some file descriptor passing tricks etc. I'm not personally sure whether it's worth it.
First of all, it's not "a bit more difficult". Andrew already wrote the damned code. Why don't you take a look? IIRC, his code actually creates a temp dir and rmdirs it afterward for good measure, though using a fixed directory has the benefit that the target filesystem can be read-only.
Second, what's not "worth it" is just dropping uid 0. For Christ's sake, as long as you've got uid 0 to start with, /chroot/. There's no excuse not to. Dropping uid 0 without chrooting first is like locking yourself in the bathroom and letting the intruder have the rest of the house -- IOW just plain stupid.
Take a look at what openssh means when it talks about "privilege separation": the unprivileged process chroots to /var/empty, and then drops uid 0. While you're busy talking about OpenBSD "privilege separation", maybe it would help if you'd look at their most obvious example.
Or go back and read the thread we just had on this.
-- Jefferson Ogata <[EMAIL PROTECTED]> NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
