On Fri, Jan 15, 2010 at 10:21:15PM -0500, Ted Unangst wrote:
quoted text > On Fri, Jan 15, 2010 at 1:21 PM, Denis Doroshenko
> <denis.doroshenko@gmail.com> wrote:
> > I'd like to give some colleagues possibility to analyze and dump net
> > traffic to files, but it seems that in order to do that I need to
> > allow them to run a piece of software as root, when the software has a
> > possibility to write to a user-defined file and it does it as root. In
> > this case I believe they can write files where ever they want, also
> > some things won't work (e.g. quotas).
>
> The current tcpdump code can only be run as root. You can patch the
> code to remove the privsep parts if necessary.
>
> Or, if you generally trust your users except for carelessly filling up
> the filesystem, note two things:
> 1. When writing to an existing file with -w, tcpdump will not change the owner.
> 2. When running "sudo tcpdump -w - > file", the file will be owned by
> the user calling sudo.
>
> If you don't trust your users to not mess up the file system (what
> kind of users are they?), I'd modify the source to only accept a
> single -w argument, then force the argument via a shell script they
> can run with sudo. But be careful, you'll also have to add NOFOLLOW
> to the open call in privsep.c, or they could still overwrite system
> files.
Alternatively, you could force -w to always write to stdout and use
sudo. But remember that you might NOT want to allow -r to read
arbitrary files. As you can see, before you know it pretty
"interesting" problems pop up.
It was a conscious decision to only allow root. The beast is just too
complex to trust as a setuid program.
-Otto
