Denis Doroshenko <denis.doroshe...@gmail.com> wrote: > Hi! > > I'd like to give some colleagues possibility to analyze and dump net > traffic to files, but it seems that in order to do that I need to > allow them to run a piece of software as root, when the software has a > possibility to write to a user-defined file and it does it as root. In > this case I believe they can write files where ever they want, also > some things won't work (e.g. quotas). > > The man page at > > http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html > > mentions "You must have read access to /dev/bpf*". While it is true > requirement, seems like it is not sufficient to run tcpdump agains a > network interface. > > It seems in order to do that one needs to run program as root, and > making the binary suid root doesn't help here. > > When tcpdump is suid root, it goes as far as: > > ~ $ tcpdump > tcpdump: ioctl: BIOCSETF: Operation not permitted > ~ $ > > From the source I see that the first thing the privileged parent > process does is the following (file privsep.c, function priv_init): > > sigprocmask(SIG_SETMASK, &oset, NULL); > > /* Child - drop suid privileges */ > gid = getgid(); > uid = getuid(); > > So in case of suid scenario, the process loses suid power and then > later on the following piece: > > case PRIV_SETFILTER: > test_state(cmd, STATE_FILTER); > impl_setfilter(socks[0], cmdbuf, &bpfd); > break; > > calls impl_setfilter, which in turn calls setfilter, which in turn > calls ioctl(bpfd, BIOCSETF, &fcode), which fails with the mentioned > "ioctl: BIOCSETF: %s", strerror(errno) message. > > Was this code designed to be run as root (not just EUID 0)? I ask this > because the code does not work otherwise. Man pages does not clearly > state that and the code only looks for EUID to be 0 while it checks > whether it will go any further and fails later when EUID is set to > UID, and UID is not 0. > > Thanks!
Why don't you try sudo? you can make rules for each user... -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
