tcpdump: drop privileges by default?

[Jukka Ruohonen <jruohonen%iki.fi@localhost>]

Hi.

Would it be reasonable to drop root privileges in tcpdump(1) by default?

As I see it, this does not limit the functionality of the program in any
way. Moreover, there are practically no maintenance costs; upstream code
supports this and the change would require only a small patch.[1]

On the other hand, this would clutter the system a little. It may also be
questionable if this adds any value in terms of security. Protocol parsers
are however always difficult to get right, and historically tcpdump(1) has
not been an exception. The program is sometimes also used to gather data
instead of just debugging.

Regards,

Jukka.


[1] Disclaimer: I am not sure if this is all that is required to add an user
and a directory to the default build.


Index: src/dist/tcpdump/tcpdump.8
===================================================================
RCS file: /cvsroot/src/dist/tcpdump/tcpdump.8,v
retrieving revision 1.16
diff -u -p -r1.16 tcpdump.8
--- src/dist/tcpdump/tcpdump.8  24 Jul 2007 12:41:07 -0000      1.16
+++ src/dist/tcpdump/tcpdump.8  9 Sep 2009 18:10:14 -0000
@@ -594,8 +594,6 @@ Drops privileges (if root) and changes u
 .I user
 and the group ID to the primary group of
 .IR user .
-.IP
-This behavior can also be enabled by default at compile time.
 .IP "\fI expression\fP"
 .RS
 selects which packets will be dumped.
Index: src/etc/group
===================================================================
RCS file: /cvsroot/src/etc/group,v
retrieving revision 1.23
diff -u -p -r1.23 group
--- src/etc/group       16 Oct 2007 02:47:14 -0000      1.23
+++ src/etc/group       9 Sep 2009 18:10:15 -0000
@@ -20,6 +20,7 @@ _proxy:*:21:
 _timedc:*:22:
 _sdpd:*:23:
 _httpd:*:24:
+_tcpdump:*:25:
 guest:*:31:root
 nobody:*:39:
 utmp:*:45:
Index: src/etc/master.passwd
===================================================================
RCS file: /cvsroot/src/etc/master.passwd,v
retrieving revision 1.39
diff -u -p -r1.39 master.passwd
--- src/etc/master.passwd       16 Oct 2007 02:47:14 -0000      1.39
+++ src/etc/master.passwd       9 Sep 2009 18:10:15 -0000
@@ -14,5 +14,6 @@ _proxy:*:21:21::0:0:Proxy Services:/none
 _timedc:*:22:22::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _sdpd:*:23:23::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
+_tcpdump:*:25:25::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
 uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
 nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
Index: src/etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.129
diff -u -p -r1.129 special
--- src/etc/mtree/special       25 Jul 2009 16:20:10 -0000      1.129
+++ src/etc/mtree/special       9 Sep 2009 18:10:15 -0000
@@ -393,6 +393,7 @@
 ./var/chroot/ntpd/var/run      type=dir  mode=0775 gname=ntpd
 ./var/chroot/pflogd            type=dir  mode=0755
 ./var/chroot/sshd              type=dir  mode=0755
+./var/chroot/tcpdump            type=dir  mode=0755
 ./var/chroot/tftp-proxy                type=dir  mode=0755
 ./var/cron                     type=dir  mode=0755
 ./var/cron/tabs                        type=dir  mode=0700
Index: src/usr.sbin/tcpdump/Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/tcpdump/Makefile,v
retrieving revision 1.49
diff -u -p -r1.49 Makefile
--- src/usr.sbin/tcpdump/Makefile       22 Apr 2009 15:23:09 -0000      1.49
+++ src/usr.sbin/tcpdump/Makefile       9 Sep 2009 18:12:04 -0000
@@ -75,6 +75,9 @@ CPPFLAGS+=-DLBL_ALIGN=1
 CPPFLAGS+=-DTCPDUMP_DO_SMB=1
 CPPFLAGS+=-D_U_="__attribute__((unused))"
 
+CPPFLAGS+=-DWITH_USER=\"_tcpdump\"
+CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\"
+
 .if (${USE_INET6} != "no")
 SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \
        print-rt6.c print-ospf6.c print-dhcp6.c