tcpdump -z

Daniel Roethlisberger daniel at
Fri Aug 27 16:25:57 UTC 2010

Pieter de Boer <pieter at> 2010-08-27:
> On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
> >This is a froward message from tcpdump-workers mail list:
> >=== 8<  ================>8 ===
> >$ sudo ./tcpdump -i any -G 1 -z ./ -w dump port 55555
> >[sudo] password for user:
> >tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> >65535 bytes
> >(generate some traffic on port 55555)
> >root at blaa ~/temp/tcpdump-4.1.1$ id
> >uid=0(root) gid=0(root) groups=0(root)
> >
> >Is this known and accepted? Could this option maybe be implemented
> >differently?
> In my opinion, if you allow people to run tools as root using sudo, 
> you'd better make sure those tools don't allow attackers to easily gain 
> root access. In the case of tcpdump, the '-w' flag most probably already 
> allowed that, although '-z' is a bit more convenient to the attacker.
> As a solution, configure your sudo correctly, only allowing specific 
> tcpdump command line options (or option sets) to be used.

Or use NOEXEC on the tcpdump spec in your sudo configuration, see
sudoers(5) for details.

Daniel Roethlisberger

More information about the freebsd-security mailing list