tcpdump -z
Andy Kosela
akosela at andykosela.com
Fri Aug 27 13:30:36 UTC 2010
On Fri, Aug 27, 2010 at 1:32 PM, Pieter de Boer
<pieter at thelostparadise.com> wrote:
> On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
>
>> This is a froward message from tcpdump-workers mail list:
>> === 8< ================>8 ===
>> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
>> [sudo] password for user:
>> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
>> size
>> 65535 bytes
>> (generate some traffic on port 55555)
>> root at blaa ~/temp/tcpdump-4.1.1$ id
>> uid=0(root) gid=0(root) groups=0(root)
>>
>> Is this known and accepted? Could this option maybe be implemented
>> differently?
>
> In my opinion, if you allow people to run tools as root using sudo, you'd
> better make sure those tools don't allow attackers to easily gain root
> access. In the case of tcpdump, the '-w' flag most probably already allowed
> that, although '-z' is a bit more convenient to the attacker.
>
> As a solution, configure your sudo correctly, only allowing specific tcpdump
> command line options (or option sets) to be used.
>
If you care about security I would definetly dump sudo(8) in the first place...
Andy
More information about the freebsd-security
mailing list