bpf does not check PRIV_NET_SETIFFLAGS to set promisc
Max Laier
max at love2party.net
Tue Oct 14 16:39:21 UTC 2008
Hi,
replying to a question on the tcpdump ML, I just realized that we allow users
who have permissions on bpf to bypass PRIV_NET_SETIFFLAGS for setting
promiscuous mode. This certainly is not a security problem per se - as bpf
access is a mighty permission on its own and shouldn't be given out to
untrusted users ... so this is just an "is this intended?" type of thing.
BTW, I strongly vote for keeping the possibility to use bpf (in promisc mode)
for non-root users.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-current
mailing list