On Mon, Aug 23, 2004 at 11:06:08PM -0500, Gerald Combs wrote:
> > So what distinguishes a "band-aid" from a fix considered more acceptable?
IMNSHO, privsep is a band-aid in the Ethereal case:
The problem of obtaining root privs goes away, yes, but the malicious code
is then executed as the user, which is not much better. The problem is also
there if a user runs "ethereal -r file-with-bad-packet.pcap".
We have a few options here:
a) Do privsep where relevant (e.g. on systems that require root perms to
capture data).
b) Identify which type of errors allow exploits, which coding errors led
to them and do a code audit as well as provide some infrastructure in
order to prevent them in the future (like tvbuff).
c) Work with generators and migrate all dissectors to some specification
language.
d) Provide dissectors with a flag that gives a default state (enabled/
disabled) in case the config file doesn't have anything different to
say. Disable most dissectors by default and review those that are
enabled by default.
I don't think that a) achieves much as far as security is concerned. The
"proper" solution would be to simply do not call any dissectors when run
as root - it's easier to implement and doesn't suffer the side effects -
and while
c) may be a long term solution, I don't think it will be in place for quite
a while and after that it will take years to migrate all existing dissectors.
d) is a solution that is easy to implement and which is quite effective as
far as security is concerned.
c) should also be quite doable.
So, in case we really care about the situation (which we should), I'd
suggest to start with
1) disable dissection when run as root
2) implement d)
3) Implement b)
4) In case we are still unhappy, think about d)
ciao
Joerg
--
Joerg Mayer <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
