Hi!

I'd like to give some colleagues possibility to analyze and dump net
traffic to files, but it seems that in order to do that I need to
allow them to run a piece of software as root, when the software has a
possibility to write to a user-defined file and it does it as root. In
this case I believe they can write files where ever they want, also
some things won't work (e.g. quotas).

The man page at

http://www.openbsd.org/cgi-bin/man.cgi?query=tcpdump&apropos=0&sektion=8&manpath=OpenB...

mentions "You must have read access to /dev/bpf*". While it is true
requirement, seems like it is not sufficient to run tcpdump agains a
network interface.

It seems in order to do that one needs to run program as root, and
making the binary suid root doesn't help here.

When tcpdump is suid root, it goes as far as:

~ $ tcpdump
tcpdump: ioctl: BIOCSETF: Operation not permitted
~ $

From the source I see that the first thing the privileged parent
process does is the following (file privsep.c, function priv_init):

	sigprocmask(SIG_SETMASK, &oset, NULL);

	/* Child - drop suid privileges */
	gid = getgid();
	uid = getuid();

So in case of suid scenario, the process loses suid power and then
later on the following piece:

		case PRIV_SETFILTER:
			test_state(cmd, STATE_FILTER);
			impl_setfilter(socks[0], cmdbuf, &bpfd);
			break;

calls impl_setfilter, which in turn calls setfilter, which in turn
calls ioctl(bpfd, BIOCSETF, &fcode), which fails with the mentioned
"ioctl: BIOCSETF: %s", strerror(errno) message.

Was this code designed to be run as root (not just EUID 0)? I ask this
because the code does not work otherwise. Man pages does not clearly
state that and the code only looks for EUID to be 0 while it checks
whether it will go any further and fails later when EUID is set to
UID, and UID is not 0.

Thanks!