Re: tcpdump -z
- From: Andy Kosela <akosela@xxxxxxxxxxxxxx>
- Date: Fri, 27 Aug 2010 15:02:43 +0200
On Fri, Aug 27, 2010 at 1:32 PM, Pieter de Boer
<pieter@xxxxxxxxxxxxxxxxxxx> wrote:
On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
This is a froward message from tcpdump-workers mail list:
=== 8< ================>8 ===
$ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
[sudo] password for user:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
size
65535 bytes
(generate some traffic on port 55555)
root@blaa ~/temp/tcpdump-4.1.1$ id
uid=0(root) gid=0(root) groups=0(root)
Is this known and accepted? Could this option maybe be implemented
differently?
In my opinion, if you allow people to run tools as root using sudo, you'd
better make sure those tools don't allow attackers to easily gain root
access. In the case of tcpdump, the '-w' flag most probably already allowed
that, although '-z' is a bit more convenient to the attacker.
As a solution, configure your sudo correctly, only allowing specific tcpdump
command line options (or option sets) to be used.
If you care about security I would definetly dump sudo(8) in the first place...
Andy
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: tcpdump -z
- From: Marian Hettwer
- Re: tcpdump -z
- References:
- tcpdump -z
- From: Vadim Goncharov
- Re: tcpdump -z
- From: Pieter de Boer
- tcpdump -z
- Prev by Date: Re: tcpdump -z
- Next by Date: Re: tcpdump -z
- Previous by thread: Re: tcpdump -z
- Next by thread: Re: tcpdump -z
- Index(es):
Relevant Pages
|
