Ethereal-dev: Re: [Ethereal-dev] Ethereal patch: limit capability set under Linux

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Tue, 14 Jun 2005 00:20:22 +0200
Greg Morris wrote:

> List,
>  
> The email below is a suggested patch to (t)ethereal. "This patch drops
> the (t)ethereal process's privileges at startup to the minimum
> required (the capability to sniff network interfaces) in order to
> limit the potential impact of security issues". When you start
> (t)ethereal as root, the process has access to many capabilities (e.g.
> read any file) which it doesn't need. This patch drops all unneeded
> privileges. Please comment and check-in if viable.
>  

Hi Greg!

As I like to see someone "to take a heart" to start getting things done
on this topic, I have some doubts about your approach (or maybe I just
don't understand it). Unfortunately the comments you've added are quite
few, so understanding was difficult as I don't know the cap_ stuff,
sorry :-(

Could you explain a bit what this is intended to do? AFAIK this is
intended to lower privileges of the running task. But which privileges
are affected and in which way?

BTW: I'll guess this won't work on Win32 and probably other platforms
not supporting the cap_ functions?!?

Regards, ULFL