Re: [Ethereal-dev] Ethereal patch: limit capability set under Linux

[Ulf Lamping <ulf.lamping@xxxxxx>]

Greg Morris wrote:

> List,
>  
> The email below is a suggested patch to (t)ethereal. "This patch drops
> the (t)ethereal process's privileges at startup to the minimum
> required (the capability to sniff network interfaces) in order to
> limit the potential impact of security issues". When you start
> (t)ethereal as root, the process has access to many capabilities (e.g.
> read any file) which it doesn't need. This patch drops all unneeded
> privileges. Please comment and check-in if viable.
>  

Hi Greg!

As I like to see someone "to take a heart" to start getting things done
on this topic, I have some doubts about your approach (or maybe I just
don't understand it). Unfortunately the comments you've added are quite
few, so understanding was difficult as I don't know the cap_ stuff,
sorry :-(

Could you explain a bit what this is intended to do? AFAIK this is
intended to lower privileges of the running task. But which privileges
are affected and in which way?

BTW: I'll guess this won't work on Win32 and probably other platforms
not supporting the cap_ functions?!?

Regards, ULFL