Re: tcpdump -z



On Fri, 27 Aug 2010 19:20:57 +0300, "Aldis Berjoza" <aldis@xxxxxxxxxx>
wrote:
On Fri, 27 Aug 2010 17:32:18 +0300, Marian Hettwer <mh@xxxxxxxxxxx> wrote:

On Fri, 27 Aug 2010 15:27:07 +0100, István <leccine@xxxxxxxxx> wrote:

Well to be honest i don't see any case when i want to give sudo+tcpdump
access to any user on my box. And those who are admins/roots anyway the >> "su
-" just works perfectly and they can run tcpdump.

Well, that wasn't an answer to my question or the claim of Andy.
In fact, if you need to give access to some root-only binaries to a
normal user, sudo(8) is the way to go.
With "su -" you would allow full root-access, even though you might
just want to allow specific commands to an unprivileged user.

so. ehm. no!
In fact, I would suggest to disable root, so that su - doesn't work at
all.

./Marian

Ye, and once sudo is broken (somehow, for whatever reason) you have
lot's of fun (especially on servers) :D

Well, yeah, if it's up to me, I'd like to see sudo in BASE, as OpenBSD
does it :)

./Marian
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: newbie question: Getting through XDM with a newly-installed applcation
    ... Logging into X as root is generally not a good idea. ... What I would suggest is to install sudo, add your normal user to the ...
    (Debian-User)
  • Re: tcpdump -z
    ... In my opinion, if you allow people to run tools as root using sudo, ... you'd better make sure those tools don't allow attackers to easily gain ... root access. ... In the case of tcpdump, the '-w' flag most probably already ...
    (FreeBSD-Security)
  • Re: tcpdump -z
    ... In my opinion, if you allow people to run tools as root using sudo, ... In the case of tcpdump, the '-w' flag most probably already ... your network with that type of sudo access to collect password ... information or any other sensitive information flow on your network. ...
    (FreeBSD-Security)
  • Re: tcpdump -z
    ... In my opinion, if you allow people to run tools as root using sudo, you'd ... better make sure those tools don't allow attackers to easily gain root ... In the case of tcpdump, the '-w' flag most probably already allowed ...
    (FreeBSD-Security)
  • Re: tcpdump -z
    ... In my opinion, if you allow people to run tools as root using sudo, you'd better make sure those tools don't allow attackers to easily gain root access. ... In the case of tcpdump, the '-w' flag most probably already allowed that, although '-z' is a bit more convenient to the attacker. ...
    (FreeBSD-Security)