Sebastien Raveau wrote:
That may help a bit, but buffer overflows are not the cause of most security
flaws. Let me quote Theo de Raadt (maintainer of OpenBSD) on this:
"Crispin Cowan has suggested that buffer overflows are the most common
security causing programmer error. I disagree. I believe that we found
more /tmp races in our source tree than buffer overflows."
...and we've found more buffer overflows than /tmp races in our code
(the only /tmp race we know of was "fixed" a long time ago by the
OpenBSD folks in a fashion that broke captures; we fixed it differently).
I.e., whether /tmp races, buffer overflows, or other problems are the
main source of security flaws in a particular piece of code depends on
the code. If the code has lots of static buffers into which stuff is
read, and not a lot of manipulation of files in /tmp, buffer overflows
are likely to be a bigger problem.
Anyway, I just find it amazing that in Ethereal more than a million lines of C
run with root priviledges...
*No* lines of Ethereal code run on my system with root privileges.
But that's because I'm running on a BSD-derived system (OS X), and can
therefore arrange that I have read and write permissions on the /dev/bpf
devices, and therefore don't have to run Ethereal - or tcpdump, or any
other capture program - as root.
Ethereal has to be redesigned (as I suggested in a previous post to this
mailing-list, apparently ignored) to minimize the amount of code running with
root priviledges. Basically, the only thing Ethereal needs root priviledges
for is opening the capture socket,
"Capture socket" suggests the person who said this is running on Linux
or IRIX, not BSD. It's a socket on those systems, it's a BPF device on
BSDs (and AIX), it's a STREAMS device on some other systems, etc.. See
http://wiki.ethereal.com/CaptureSetup_2fCapturePrivileges
In any case, we agree that, as not all systems are as nice as BSD in
this regard, the rest of the code shouldn't run with root privileges if
the code that opens the capture device does need to run with root
privileges. This is a work in progress; see
http://wiki.ethereal.com/Development_2fPrivilegeSeparation
However...
and that could take less than a hundred
lines of code. Once the amount of code running with root priviledges is
downsized to about a hundred lines, it will be easily auditable and soon
devoid of security flaws.
...it's not the case that you're "done" when the code running as root is
known to be safe. Code running as the user can't do as much damage as
code running as root, but it can still do damage; see
http://wiki.ethereal.com/Security
for a discussion of ways of making Ethereal dissectors (which I think
*are* the primary source of security problems in Ethereal) safer.
