On Mon, 07 Feb 2005 13:10:42 -0800, Stephen Samuel (leave the email
alone) <samnospam@xxxxxxxxxxx> wrote:
> http://ask.slashdot.org/comments.pl?sid=138603&cid=11599438
>
> A comment in Slashdot reminding me of why ethereal is no longer
> ported to OpenBSD, and the fact that I just upgraded my oBSD
> firewall (lamenting this exclusion), has prompted me to write
> this.
>
> Perhaps it's time to build some firewalls into ethereal. This
> would actually consist of two different parts:
>
> One is priveledge seperation.
> The other is dissector categorization.
>
I don't use OpenBSD, but file permissions on the bpf device *should*
allow Ethereal to capture packets as a non-root user on OpenBSD.
> Categorizing disssectors based on their security would have
> two purposes:
> 1) I propose that, by default, only the most 'secure' of
> dissectors be enabled by default. Users who want the
> less secure dissectors (because they need them and/or
> they'r not in an overtly 'hostile' environment. could
> enable the rest explicitly.
I can only think of two categories for Ethereal code... code with a
known security bug, and code with unknown security bugs. The Ethereal
community is very rapid in responding to security bugs; I don't know
of any instance where we left known security problems to linger.
So, I don't see how we could categorize dissectors into security
levels. Either they are or they aren't, and if they aren't, we fix
them right away.
--gilbert
