Re: Packet sniffing & regular users
On Thu, 2005-03-03 at 11:54, David Mandelberg wrote:
> Physical access means they can touch the machine. Local access means they can
> log into the machine. Often local access is further restricted to mean they can
> log in and get a real shell (i.e. the shell isn't /usr/sbin/pppd).
I tend to prefer more specific terms like "remote shell access". This
thread seems to have drifted a bit, but in terms of the original
question I think you should be able to make a setuid root version of
tcpdump, or your favorite alternative, which creates the raw socket as
root and then drops it's priviledges.
I have my doubts about the wisdom of allowing random people to use
tcpdump, even a version modified as above. However I suppose a version
like that might be useful to me as a system admin, because I could do
more without being root.
BTW I think you might be able to detect promiscous mode with a raw
socket (at least on non-switched ethernet). If I send a ping packet to
192.168.1.42 using the wrong ethernet address then a response implies
promiscous mode because otherwise the interface would have dropped the
packet.
I have not investigated but think the kernel but think it would reliably
respond and 99.99% of attackers would not realised they had been
exposed.
Reply to: