[prev in list] [next in list] [prev in thread] [next in thread]
List: ethereal-dev
Subject: Re: [Ethereal-dev] Setuid() patch to allow tethereal to run as nobody
From: Guy Harris <guy () alum ! mit ! edu>
Date: 2003-10-30 20:02:01
[Download RAW message or body]
On Oct 30, 2003, at 9:57 AM, Bryan Henderson wrote:
>> Is the intent here to support running it as a daemon, or something
>> such
>> as that, where the user ID you want it to run as isn't available to it
>> unless you tell it?
>
> If that's the intent, then -u still isn't the best way to do it.
...especially if Tethereal is set-UID root.
> In that
> case, one should invoke tethereal through a shell such as 'su' so as to
> say, "run tethereal as real UID X" and then tethereal would switch to
> effective=real at the appropriate time. It's simpler that way.
...and, at least with "sudo", the fact that it's been done can get
syslogged.
> And I agree that tethereal shouldn't wait to be asked before dropping
> unneeded superuser privilege.
I've checked in a change to give up set-UID and set-GID privileges
before opening capture files and immediately after opening a capture
device. (On systems that support saved set-user ID and "seteuid()",
Tethereal *and* Ethereal could give up those privileges at the
beginning of "main()", and temporarily reclaim them when getting the
list of network interfaces and when opening the interface, and
relinquish them immediately afterwards.)
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic