Hi List!
As that's a requested feature, we might first think about how to achieve
this (and I don't have much knowledge on this, but willing to learn :-).
Having looked at the web about Privilege Seperation at all, didn't found
good resources on the web, does someone has a good tip?
However, as far as I understand it, it's about split a program into
parts which then will run at the lowest privilege they need to do the
task they have to, but not more.
When looking at Ethereal about this topic, I think about two main parts:
- live capturing from the network (usually requires root privileges) and
put that data on the harddisk. As the capturing code amount is limited,
this code could be reviewed with safety in mind, so it should be
possible to make it "bullet proof " (well, you will never have 100% safe
code)
- decoding of protocols, showing them on the screen and all the other
GUI related things (requires only user privileges, like open files and
such). As the dissection is spreaded about a lot of code, provided and
maintained by a lot of different persons, it might be nearly impossible
to get really bullet proof code from this (of course, trying to achieve
security is always a good idea anyway).
So this indicates, that we should split the capturing of data from
dissecting and showing it. The capturing should be hardened and could be
run in root mode, while the dissection code runs "only" under user
privileges. If security concerns are really huge, even a special
ethereal user could be created to get a "sandbox" for the dissection
code so it can't do any real harm.
Do I dig into the right direction?
Regards, ULFL
