tcpdump -z
Pieter de Boer
pieter at thelostparadise.com
Fri Aug 27 11:33:25 UTC 2010
On 08/27/2010 10:32 AM, Vadim Goncharov wrote:
> This is a froward message from tcpdump-workers mail list:
> === 8< ================>8 ===
> $ sudo ./tcpdump -i any -G 1 -z ./test.sh -w dump port 55555
> [sudo] password for user:
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
> 65535 bytes
> (generate some traffic on port 55555)
> root at blaa ~/temp/tcpdump-4.1.1$ id
> uid=0(root) gid=0(root) groups=0(root)
>
> Is this known and accepted? Could this option maybe be implemented
> differently?
In my opinion, if you allow people to run tools as root using sudo,
you'd better make sure those tools don't allow attackers to easily gain
root access. In the case of tcpdump, the '-w' flag most probably already
allowed that, although '-z' is a bit more convenient to the attacker.
As a solution, configure your sudo correctly, only allowing specific
tcpdump command line options (or option sets) to be used.
--
Pieter
More information about the freebsd-security
mailing list