On Thu, 2005-03-03 at 11:54, David Mandelberg wrote: > Physical access means they can touch the machine. Local access means they can > log into the machine. Often local access is further restricted to mean they > can > log in and get a real shell (i.e. the shell isn't /usr/sbin/pppd).
I tend to prefer more specific terms like "remote shell access". This thread seems to have drifted a bit, but in terms of the original question I think you should be able to make a setuid root version of tcpdump, or your favorite alternative, which creates the raw socket as root and then drops it's priviledges. I have my doubts about the wisdom of allowing random people to use tcpdump, even a version modified as above. However I suppose a version like that might be useful to me as a system admin, because I could do more without being root. BTW I think you might be able to detect promiscous mode with a raw socket (at least on non-switched ethernet). If I send a ping packet to 192.168.1.42 using the wrong ethernet address then a response implies promiscous mode because otherwise the interface would have dropped the packet. I have not investigated but think the kernel but think it would reliably respond and 99.99% of attackers would not realised they had been exposed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
