Ethereal-dev: Re: Disector categories (Re: [Ethereal-dev] Priv sep in ethereal)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Sun, 13 Feb 2005 19:06:16 +0100
On Sun, Feb 13, 2005 at 02:47:45PM +0100, Bruno Rohee wrote:
> What OpenBSD would like to see is ethereal using a two process architecture,
> one minimal doing the packet capture as root then communicating thru
> some mean of your choice (socket pair or maybe some shared memory if
> performance constraints dictate it) the untrusted data to a process running
> with as few privilege as nothing, that would do the dangerous decoding phase.
> 
> With the unprivileged process running chrooted in an empty directory that
> he doesn't own with an user that owns no files any problem in a decoder
> would be quite mitigated...

This is a very important point being mentioned here that was discussed at
least once when the whole thread started: For optimal security the
*decoding* process should run
a) with privilege separation as a specific decoding user and
b) chrooted to somewhere, where *no* data can be written.

>From a security viewpoint this is at least as important as running the capture
process with privsep.

 Ciao
     Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.