FreeBSD Mailinglist Archive
FreeBSD songbook
OpenSSH Trojan - articles
General Tools
Funny requests of my webserver
How to create favicon-icons on Unix machines
How to use ftp in combination with .netrc
Tcpdump for mortals
*BSD Multimedia Resources
Australian FreeBSD mirrors
BOM pictures
Other projects
Contact me

TCPDUMP for mortals

This document describes methods to give normal users access to the Berkeley Packet Filter (bpf) devices without giving them root-access or making these programs setuid-root.

Note: it has come to my attention that Linux doesn't have a bpf-device, the access to it is restricted deep in the kernel close to the SOCKET_RAW code. So far for the "everything is a file" policy.


In the networking-group I was working in, we had a couple of server unix-machines and portable unix-machines (for troubleshooting). And if you're in the networking-group, packet-sniffing is one of the ways to do your job. So you need to give them access to the bpf-devices, but you don't want to give people complete access to the system.

Current situation

At this moment, the permissions for /dev/bpf* are:

[~] edwin@k7>ls -al /dev/bpf*
crw-------  1 root  wheel   23,   0 Dec 25 02:52 /dev/bpf0
crw-------  1 root  wheel   23,   1 Dec 25 02:52 /dev/bpf1
crw-------  1 root  wheel   23,   2 Dec 25 02:52 /dev/bpf2
crw-------  1 root  wheel   23,   3 Dec 25 02:52 /dev/bpf3

Owned by the root-user, nobody else can open them. It's a good thing. So to read from it, you need root-access to the system. Or the packet-sniffer needs to be setuid root. Bzzzt: wrong. You need to give them read-access to the device.

A step in the right direction

At this moment, the group on /dev/bpf* is wheel, the same group as users which can su to root. So if you make the device readable for everybody in the group wheel and put everybody who needs access to it in wheel, they open the bpf-device and read from the network. Only this solution would also allow them to peek over your shoulder, get the root-password and become root themselves.


Make a new group called bpfusers in /etc/groups, make /dev/bpf* readable for everybody in that group and add everybody who needs to be able to do packet-sniffing into that group:

[~] edwin@k7>ls -al /dev/bpf*
crw-r-----  1 root  bpfusers   23,   0 Dec 25 02:52 /dev/bpf0
crw-r-----  1 root  bpfusers   23,   1 Dec 25 02:52 /dev/bpf1
crw-r-----  1 root  bpfusers   23,   2 Dec 25 02:52 /dev/bpf2
crw-r-----  1 root  bpfusers   23,   3 Dec 25 02:52 /dev/bpf3
[~] edwin@k7>grep bpfusers /etc/group

Now the user edwin is able to open /dev/bpf* for reading.

With this solution you give the people who need access to sniffer-tools access to the bpf-device without having to give them root-access, without having to make setuid-root packet-sniffers and without having to worry that people who are not allowed to use packet-sniffer are able of it.


$Id: tcpdumpmortals.php,v 1.6 2002/11/17 08:31:15 mavetju Exp $