Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <AANLkTi=LBJVm73=avUg1y4-E0=a_CiX7R5X_UeD3BJ9A@mail.gmail.com>
Date: Fri, 11 Mar 2011 06:40:31 -0800
From: RB <aoz.syn@...il.com>
To: owl-dev@...ts.openwall.com
Subject: tcpdump vagaries

As sent to Solar, re-posting as requested to owl-dev.  This particular
pair of bugs^Wfeatures have had me pulling my hair out for the past
week.

====
Just wanted to give you a heads up on some poor behavior I've noted in
Gentoo's packaging of tcpdump that you may have unintentionally run
into.  I know Owl's recent releases eliminated setXid binaries, so
your likelihood of hitting these edge cases increases.

The issues surround using the -G and -C options to split capture files
at runtime.  When tcpdump is configured with '--with-user=XXX', it
turns the -Z (drop privileges) option on by default.  The result is
that the first capture file is created with the privileges and
ownership of the calling user (often root) but subsequent ones as the
XXX user.  This stands a high probability of producing subtle (and
late) failures due to filesystem permissions.

Similarly, configuring tcpdump with '--with-chroot=/path/to/chroot',
it will chroot itself to /path/to/chroot at runtime.  Again, the first
file is created with the calling privileges and lands where one would
expect, but if using relative paths subsequent files will appear in
/path/to/chroot, and absolute paths (that don't match what is under
/path/to/chroot) result in the capture stopping/failing due to missing
directories.

Ideally alterations should probably be made to tcpdump to make those
failures and behavior more immediate, but digging that out and coding
it up is far beyond my time capacity right now.  Hopefully you tested
Owl a little better than Gentoo's devs did if you made similar
decisions.
====

I can understand and even appreciate and agree with the intent behind
the choices, but as with any change that increases complexity of
operation, should have probably been a little more tested.


RB

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.