Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Mar 2011 06:40:31 -0800
From: RB <aoz.syn@...il.com>
To: owl-dev@...ts.openwall.com
Subject: tcpdump vagaries

As sent to Solar, re-posting as requested to owl-dev.  This particular
pair of bugs^Wfeatures have had me pulling my hair out for the past
week.

====
Just wanted to give you a heads up on some poor behavior I've noted in
Gentoo's packaging of tcpdump that you may have unintentionally run
into.  I know Owl's recent releases eliminated setXid binaries, so
your likelihood of hitting these edge cases increases.

The issues surround using the -G and -C options to split capture files
at runtime.  When tcpdump is configured with '--with-user=XXX', it
turns the -Z (drop privileges) option on by default.  The result is
that the first capture file is created with the privileges and
ownership of the calling user (often root) but subsequent ones as the
XXX user.  This stands a high probability of producing subtle (and
late) failures due to filesystem permissions.

Similarly, configuring tcpdump with '--with-chroot=/path/to/chroot',
it will chroot itself to /path/to/chroot at runtime.  Again, the first
file is created with the calling privileges and lands where one would
expect, but if using relative paths subsequent files will appear in
/path/to/chroot, and absolute paths (that don't match what is under
/path/to/chroot) result in the capture stopping/failing due to missing
directories.

Ideally alterations should probably be made to tcpdump to make those
failures and behavior more immediate, but digging that out and coding
it up is far beyond my time capacity right now.  Hopefully you tested
Owl a little better than Gentoo's devs did if you made similar
decisions.
====

I can understand and even appreciate and agree with the intent behind
the choices, but as with any change that increases complexity of
operation, should have probably been a little more tested.


RB

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ