TCPDUMP for mortals
This document describes methods to give normal users access to the
Berkeley Packet Filter (bpf) devices without giving them root-access or
making these programs setuid-root.
Note: it has come to my attention that Linux doesn't have a bpf-device,
the access to it is restricted deep in the kernel close to the
SOCKET_RAW code. So far for the "everything is a file" policy.
Problem
In the networking-group I was working in, we had a couple of server
unix-machines and portable unix-machines (for troubleshooting).
And if you're in the networking-group, packet-sniffing is one of
the ways to do your job. So you need to give them access to the
bpf-devices, but you don't want to give people complete access to
the system.
Current situation
At this moment, the permissions for /dev/bpf* are:
[~] edwin@k7>ls -al /dev/bpf*
crw------- 1 root wheel 23, 0 Dec 25 02:52 /dev/bpf0
crw------- 1 root wheel 23, 1 Dec 25 02:52 /dev/bpf1
crw------- 1 root wheel 23, 2 Dec 25 02:52 /dev/bpf2
crw------- 1 root wheel 23, 3 Dec 25 02:52 /dev/bpf3
|
Owned by the root-user, nobody else can open them. It's a good
thing. So to read from it, you need root-access to the system.
Or the packet-sniffer needs to be setuid root. Bzzzt: wrong.
You need to give them read-access to the device.
A step in the right direction
At this moment, the group on /dev/bpf* is wheel, the
same group as users which can su to root. So if you make the device
readable for everybody in the group wheel and put everybody
who needs access to it in wheel, they open the bpf-device
and read from the network. Only this solution would also allow them
to peek over your shoulder, get the root-password and become root
themselves.
Solution
Make a new group called bpfusers in /etc/groups, make
/dev/bpf* readable for everybody in that group and add
everybody who needs to be able to do packet-sniffing into that
group:
[~] edwin@k7>ls -al /dev/bpf*
crw-r----- 1 root bpfusers 23, 0 Dec 25 02:52 /dev/bpf0
crw-r----- 1 root bpfusers 23, 1 Dec 25 02:52 /dev/bpf1
crw-r----- 1 root bpfusers 23, 2 Dec 25 02:52 /dev/bpf2
crw-r----- 1 root bpfusers 23, 3 Dec 25 02:52 /dev/bpf3
[~] edwin@k7>grep bpfusers /etc/group
bpfusers:*:500:edwin
|
Now the user edwin is able to open /dev/bpf* for reading.
With this solution you give the people who need access to sniffer-tools
access to the bpf-device without having to give them root-access,
without having to make setuid-root packet-sniffers and without having
to worry that people who are not allowed to use packet-sniffer are
able of it.
|