[tclug-list] Security concerns for local traffic

Sun Dec 30 04:38:58 CST 2007

(yes, I am top-posting)

You are correct.  I believe the kernel is denying you raw access to the 
network interfaces.  This would be a serious security issue if regular 
users had raw access to the network interfaces.  IE, joe user could run 
tcpdump and catch john user's (or root's) network traffic!

Also, I believe non-root users are not allowed to open ports <1024 fwiw.

-Dean

Brock Noland wrote:
> Greetings,
> 
> Many people are using pound ( http://www.apsis.ch/pound/ ) to proxy
> traffic from port 443 to another port using the local interface.
> 
> On Linux, I don't believe a regular user can open network devices for
> dumping. At least that is what my tests below show me. Does anyone
> know if its the kernel denying access or the library itself?  Can you
> think of any other security concerns which would result from sending
> unencrypted traffic over a local port?
> 
> Thanks!
> Brock
> 
> [noland at a90 ~]$ cat pcap-open-default.c
> #include <stdio.h>
> #include <pcap.h>
> int main(int argc, char *argv[])
> {
>         char *dev, errbuf[PCAP_ERRBUF_SIZE];
>         dev = pcap_lookupdev(errbuf);
>         if (dev == NULL) {
>                 fprintf(stderr, "Couldn't find default device: %s\n", errbuf);
>                 return(2);
>         }
>         printf("Device: %s\n", dev);
>         return(0);
> }
> 
> [noland at a90 ~]$ gcc -lpcap pcap-open-default.c
> [noland at a90 ~]$ ./a.out
> Couldn't find default device: no suitable device found
> [noland at a90 ~]$ sudo ./a.out
> Device: eth0
> 
> [noland at a90 ~]$ cat pcap-find-all.c
> #include <stdio.h>
> #include <pcap.h>
> int main(int argc, char *argv[])
> {
>         char errbuf[PCAP_ERRBUF_SIZE];
>         pcap_if_t *dev;
>         pcap_findalldevs(&dev, errbuf);
>         if (dev == NULL) {
>                 fprintf(stderr, "Couldn't find any devices: %s\n", errbuf);
>                 return(2);
>         }
>         while(dev != NULL) {
>                 printf("Device: %s\n", dev->name);
>                 dev = dev->next;
>         }
>         return(0);
> }
> 
> [noland at a90 ~]$ gcc -lpcap pcap-find-all.c
> [noland at a90 ~]$ ./a.out
> Couldn't find any devices: socket: Operation not permitted
> [noland at a90 ~]$ sudo ./a.out
> Device: eth0
> Device: any
> Device: lo
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list