Wireshark · Ethereal-dev: Re: Disector categories (Re: [Ethereal-dev] Priv sep in ethereal)

[Bruno Rohee <bruno@xxxxxxxxx>]

On Sat, Feb 12, 2005 at 06:23:10PM -0800, Stephen Samuel wrote:
> ronnie sahlberg wrote:
> >dont run a application as root.
> >this is not specific to ethereal, it applies to all software DONT run
> >apps as root!
> 
> Unfortunately, ethereal needs raw device support to get the

I'll assume you wanted to add "frames" or "packets" here ;-)

Yes, ethereal needs root provilege to capture things on the wire, that
doesn't mean it must decode them as root, or for that matter run
the GUI as root.

What OpenBSD would like to see is ethereal using a two process architecture,
one minimal doing the packet capture as root then communicating thru
some mean of your choice (socket pair or maybe some shared memory if
performance constraints dictate it) the untrusted data to a process running
with as few privilege as nothing, that would do the dangerous decoding phase.

With the unprivileged process running chrooted in an empty directory that
he doesn't own with an user that owns no files any problem in a decoder
would be quite mitigated...

One could even imagine an architecture where each protocol decoder would be
in a separate process and where the master application could monitor their
death and relaunch them as needed, resulting in a way more robust
application...

Just my .02 euros...

-- 
I can read your mind, and you should be ashamed of yourself.