Ethereal

[Ethereal-dev] Ethereal patch: limit capability set under Linux
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-dev: June 2005

List,
 
The email below is a suggested patch to (t)ethereal. "This patch drops the (t)ethereal process's privileges at startup to the minimum required (the capability to sniff network interfaces) in order to limit the potential impact of security issues". When you start (t)ethereal as root, the process has access to many capabilities (e.g. read any file) which it doesn't need. This patch drops all unneeded privileges. Please comment and check-in if viable.
 
Greg

>>> "J.H.M. Dassen (Ray)" <rdassen@xxxxxxxxxx> 6/12/2005 11:00 PM >>>
Hi Greg,

With the recent number of coding issues with security implications found in
ethereal, I thought it might be a good idea to limit the impact of as yet
unfound issues by having (t)ethereal (at least under Linux) use the minimal
set of root capabilities it needs to do its job; which, as far as I've been
able to tell, is just the capability to sniff network interfaces.

The attached patch does just that (based on code I use in TraceProto -
http://traceproto.sf.net). Please have a look at it and let me know whether
this is useful.

Greetings,
--
Ray Dassen
Engineer, European Support Centre, Novell Inc.

Attachment: patch
Description: Binary data

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.