Ethereal 0.10.14 howto. Now with nobody support. :D

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Ethereal 0.10.14 howto. Now with nobody support. :D

ober-4
OK I have put together instructions for compiling ethereal 0.10.14 on
-current/3.8.

In the included patch I have added code to ethereal, and tethereal to
change call setuid(uid_t nobody) after the capture device has been opened.
So once a capture has been made, the dissectors won't be running with not
be running with root privs.

Now I understand this is not full privsep in the manner done in
tcpdump(1), and npt, however I am current working on that, and hopefully
can have a port ready for testing shortly.

Here is an example session.
# ethereal

^Z[1] + Suspended            ethereal
# bg
[1] ethereal
!CAPTURE STARTED HERE FROM GUI
# ps auxwww|grep ethereal
root     25479  3.7  4.9 17672 25536 p0  S     12:08AM    0:01.27 ethereal
nobody   13239  3.1  3.9  4792 20152 p0  S     12:09AM    0:00.33
ethereal-capture -i em0 -f not (tcp port 31944 and ip host 192.168.0.34
and tcp port 22 and ip host 192.168.0.200) (ethereal)
# ps auxwww|grep ethereal
root     25479  1.9  4.9 17680 25544 p0  S     12:08AM    0:01.44 ethereal
nobody   13239  0.6  3.9  4792 20152 p0  S     12:09AM    0:00.33 ethereal-capture -i em0 -f not (tcp port 31944 and ip host 192.168.0.34 and tcp port 22 and ip host 192.168.0.200) (ethereal)
!CAPTURE STOPPED AND DECODING OF CAPTURE TRACE BEGUN
# ps auxwww|grep ethereal
nobody   25479  4.4  5.5 30584 28668 p0  S     12:08AM    0:02.44 ethereal


Now this I have been told can be broken out of, and is not as secure as
true privsep.

But I would like to think it buys me more than just running it with
constant full root privs.

Flames and comments welcome.

And finally the url
http://www.linbsd.org/http://www.linbsd.org/ethereal_on_openbsd38.html


-Ober

Reply | Threaded
Open this post in threaded view
|

ethereal port for 10.14 (was Re: Ethereal 0.10.14 howto. Now with

ober-4
I put together a port based on Matt's previous port that works on -current
and should work on 3.8.
It replaces all the steps in the instructions.

Let me know how it works.

http://www.linbsd.org/ethereal.tgz


-Ober

On Thu, 29 Dec 2005, Matt Jibson wrote:

> You might be interested in modifying the port I wrote for 0.10.12:
> http://marc.theaimsgroup.com/?l=openbsd-ports&m=112616679314867&w=2
>
> On 12/28/05, ober <[hidden email]> wrote:
>> OK I have put together instructions for compiling ethereal 0.10.14 on
>> -current/3.8.
>>
>> In the included patch I have added code to ethereal, and tethereal to
>> change call setuid(uid_t nobody) after the capture device has been opened.
>> So once a capture has been made, the dissectors won't be running with not
>> be running with root privs.
>>
>> Now I understand this is not full privsep in the manner done in
>> tcpdump(1), and npt, however I am current working on that, and hopefully
>> can have a port ready for testing shortly.
>>
>> Here is an example session.
>> # ethereal
>>
>> ^Z[1] + Suspended            ethereal
>> # bg
>> [1] ethereal
>> !CAPTURE STARTED HERE FROM GUI
>> # ps auxwww|grep ethereal
>> root     25479  3.7  4.9 17672 25536 p0  S     12:08AM    0:01.27 ethereal
>> nobody   13239  3.1  3.9  4792 20152 p0  S     12:09AM    0:00.33
>> ethereal-capture -i em0 -f not (tcp port 31944 and ip host 192.168.0.34
>> and tcp port 22 and ip host 192.168.0.200) (ethereal)
>> # ps auxwww|grep ethereal
>> root     25479  1.9  4.9 17680 25544 p0  S     12:08AM    0:01.44 ethereal
>> nobody   13239  0.6  3.9  4792 20152 p0  S     12:09AM    0:00.33 ethereal-capture -i em0 -f not (tcp port 31944 and ip host 192.168.0.34 and tcp port 22 and ip host 192.168.0.200) (ethereal)
>> !CAPTURE STOPPED AND DECODING OF CAPTURE TRACE BEGUN
>> # ps auxwww|grep ethereal
>> nobody   25479  4.4  5.5 30584 28668 p0  S     12:08AM    0:02.44 ethereal
>>
>>
>> Now this I have been told can be broken out of, and is not as secure as
>> true privsep.
>>
>> But I would like to think it buys me more than just running it with
>> constant full root privs.
>>
>> Flames and comments welcome.
>>
>> And finally the url
>> http://www.linbsd.org/http://www.linbsd.org/ethereal_on_openbsd38.html
>>
>>
>> -Ober

Reply | Threaded
Open this post in threaded view
|

Re: ethereal port for 10.14 (was Re: Ethereal 0.10.14 howto. Now with

ober-4
I have added the updates to create/use user _ethereal.
Also I have made use of much stricter priv dropping.
It now does all 3 states of uid/gid -> _ethereal.
You will need to chown _ethereal /usr/local/var/_ethereal for now
as the package is not setting it right.

Also once you capture, the process can not "recapture".
You will get permission denied on /dev/bpf[0-9]
For now this is a side effect of not having a true privsep, and instead
merely drops all privs once the capture device is opened.

Please let me know how it works.

-Ober

On Sat, 31 Dec 2005, Oliver J. Morais wrote:

> * ober <[hidden email]> [051230 01:52]:
>> Let me know how it works.
>> http://www.linbsd.org/ethereal.tgz
>
> Works great, thank you :-)
> Running on OpenBSD 3.8-current (GENERIC) #529: Thu Dec 29 13:39:24 MST 2005
> on i386 (Tinkpad X30)
>
> One thing I'd suggest: Don't use user "nobody", instead create a
> special user, e.g. "_ethereal".
>
> regards,
> oliver

Reply | Threaded
Open this post in threaded view
|

Re: ethereal port for 10.14 (was Re: Ethereal 0.10.14 howto. Now with

ober-4
OK the ownership issue is fixed.
http://www.linbsd.org/ethereal.tgz


-Ober

On Tue, 3 Jan 2006, ober wrote:

> I have added the updates to create/use user _ethereal.
> Also I have made use of much stricter priv dropping.
> It now does all 3 states of uid/gid -> _ethereal.
> You will need to chown _ethereal /usr/local/var/_ethereal for now
> as the package is not setting it right.
>
> Also once you capture, the process can not "recapture".
> You will get permission denied on /dev/bpf[0-9]
> For now this is a side effect of not having a true privsep, and instead
> merely drops all privs once the capture device is opened.
>
> Please let me know how it works.
>
> -Ober
>
> On Sat, 31 Dec 2005, Oliver J. Morais wrote:
>
>> * ober <[hidden email]> [051230 01:52]:
>>> Let me know how it works.
>>> http://www.linbsd.org/ethereal.tgz
>>
>> Works great, thank you :-)
>> Running on OpenBSD 3.8-current (GENERIC) #529: Thu Dec 29 13:39:24 MST 2005
>> on i386 (Tinkpad X30)
>>
>> One thing I'd suggest: Don't use user "nobody", instead create a
>> special user, e.g. "_ethereal".
>>
>> regards,
>> oliver