[15497] in Athena Bugs
sun4 8.1.9: snoop requires root
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sun Sep 14 14:02:29 1997
Date: Sun, 14 Sep 1997 14:02:25 -0400
To: bugs@MIT.EDU
From: John Hawkinson <jhawk@MIT.EDU>
Snoop appears to require that the user be root in order to sniff
promiscuously:
[portnoy!jhawk] ~> snoop host ni
Using device /dev/le snoop: Must be root to capture in promiscuous mode
[portnoy!jhawk] ~> ls -Lld /dev/le
crw------- 1 jhawk sys 11, 40 Apr 6 1995 /dev/le
[portnoy!jhawk] ~> tcpdump host ni
tcpdump: listening on le0
13:30:27.842189 portnoy.MIT.EDU > NI.MIT.EDU: icmp: echo request (DF)
13:30:27.844598 NI.MIT.EDU > portnoy.MIT.EDU: icmp: echo reply (DF)
^C
4488 packets received by filter
0 packets dropped by kernel
[portnoy!jhawk] ~>
tcpdump is perfectly capable of sniffing promiscuously as a non-root
user.
I believe that snoop is trying to give users a nice error message as it
expects that the network device will always be owned by root; this is
an erroneous assumption in our environment.
Further, it does not even attempt to open the device:
[portnoy!jhawk] ~> truss -w all snoop host ni | & egrep 'open|access'
open("/dev/zero", O_RDONLY) = 3
open("/usr/lib/libsocket.so.1", O_RDONLY) = 4
open("/usr/lib/libnsl.so.1", O_RDONLY) = 4
open("/usr/lib/libc.so.1", O_RDONLY) = 4
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
open("/usr/lib/libintl.so.1", O_RDONLY) = 4
open("/usr/lib/libmp.so.1", O_RDONLY) = 4
open("/usr/lib/libw.so.1", O_RDONLY) = 4
open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY) Err#2 ENOENT
open("/etc/netconfig", O_RDONLY) = 3
open("/dev/udp", O_RDWR) = 3
open("/dev/le", O_RDWR) = 3
open("/etc/.name_service_door", O_RDONLY) = 4
open("/etc/nsswitch.conf", O_RDONLY) = 4
open("/usr/lib/nss_files.so.1", O_RDONLY) = 4
open("/etc/hosts", O_RDONLY) = 4
open("/usr/lib/nss_dns.so.1", O_RDONLY) = 4
open("/usr/lib/libresolv.so.2", O_RDONLY) = 4
open("/dev/zero", O_RDONLY) = 5
open("/dev/udp", O_RDWR) = 4
open("/etc/resolv.conf", O_RDONLY) = 4
open("/dev/udp", O_RDWR) = 4
[portnoy!jhawk] ~> truss -w all snoop host ni '>& /dev/null' | & gegrep -C '/dev/le'
ioctl(3, 0xC0206911, 0x000519E8) = 0
close(3) = 0
open("/dev/le", O_RDWR) = 3
putmsg(3, 0xEFFFF274, 0x00000000, RS_HIPRI) = 0
sigaction(SIGALRM, 0xEFFFF070, 0xEFFFF170) = 0
Here's a proof of concept that it works fine if we stop
it from calling getuid():
#!/bin/sh
/afs/athena.mit.edu/project/gnu/bin/gdb --nx << EOF
file /usr/sbin/snoop
break geteuid
run "$@"
# return 0 # This does not work, due to optimizations
finish # Wait for geteuid() to complete
set \$o0 = 0 # Force geteuid() to return 0
detach # We lose the controlling tty / job control... :-(
EOF
That gets us:
[portnoy!jhawk] ~> /tmp/sw host ni
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.14 (sparc-sun-solaris2.3), Copyright 1995 Free Software Foundation, Inc.
(gdb) Reading symbols from /usr/sbin/snoop...(no debugging symbols found)...done.
(gdb) Breakpoint 1 at 0x45ce0
(gdb) Starting program: /usr/sbin/snoop "host ni"
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...Breakpoint 1 at 0xef677158
(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...Using device /dev/le
Breakpoint 1, 0xef677158 in geteuid ()
(gdb) (gdb) Run till exit from #0 0xef677158 in geteuid ()
0x172c0 in initdevice ()
(gdb) (gdb) (gdb) Continuing.
(promiscuous mode)
portnoy.MIT.EDU -> NI.MIT.EDU ICMP Echo request
NI.MIT.EDU -> portnoy.MIT.EDU ICMP Echo reply
portnoy.MIT.EDU -> NI.MIT.EDU ICMP Echo request
NI.MIT.EDU -> portnoy.MIT.EDU ICMP Echo reply
portnoy.MIT.EDU -> NI.MIT.EDU ICMP Echo request
NI.MIT.EDU -> portnoy.MIT.EDU ICMP Echo reply
portnoy.MIT.EDU -> NI.MIT.EDU ICMP Echo request
NI.MIT.EDU -> portnoy.MIT.EDU ICMP Echo reply
^Z
Suspended
[portnoy!jhawk] ~>
--jhawk
