tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenBSD work on Tcpdump privilege separation

From: Andrew Pimlott <andrew () pimlott net>
Date: Tue, 24 Feb 2004 15:57:34 -0500
On Tue, Feb 24, 2004 at 10:40:39PM +0200, Pekka Savola wrote:

Yep, setuid is possibly borked in a few corner cases -- I haven't
tested it.  I assume folks don't compile with --with-user when they
want to enable setuid (pretty seldom, I guess).  But with extra
checking, this might be avoidable.

My threat analysis is that dropping root and chrooting when tcpdump is 
run as setuid is not worth the trouble.  Switching to the getuid() is 
sufficient: you'll just hose the account you run tcpdump as, not root.


I'm fine with that.  I think all we need to do is make sure we only try
droproot() when euid is still 0.


In my patch, I tried to handle this by only dropping euid before opening
files, so that we can later restore euid and do a full droproot(), which
is (arguably) better than just dropping back to ruid.  


My argument against this is that even if you drop euid, if
compromised, the attacker can restore the privileges, so you aren't
adding much security, just more complexity.  I'd either drop the
privileges alltogether, or don't drop them at all.


Note that after all the files have been opened, I restore euid, then
drop privileges permanently.


-/* Drop root privileges */
+/* 
+ * Drop privileges.  Assumes we currently have euid 0.
+ * Parts cribbed from Wietse Venema's chrootuid.
+ */


IMHO, dropping root and chrooting should be two separate functions, as 
they serve two distinct purposes.


I think they serve exactly the same purpose:  To lower the privilege
level of the process as much as possible.  That's why, when I wrote it,
I called it drop_privileges().  I don't think there is any time you'd
want to do one and not the other.


+   if (mkdtemp(chrootdir) == NULL)
+           error("couldn't create %s", chrootdir);
+   if (chdir(chrootdir) != 0)
+           error("couldn't chdir to %s", chrootdir);
+   if (rmdir(chrootdir) != 0)
+           error("couldn't remove %s", chrootdir);
+   if (chroot(".") != 0)
+           error("couldn't chroot");


you're rmdir'ing before chroot'ing ?


It works on my Linux system and prevents the directory from being left
behind as garbage.  I bet it works on most unix-like systems, but I
would be interested to see counter-examples.  :-)

Andrew
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: