Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate network sniffer to different process to reduce sudo exposure #76

Open
arkarkark opened this issue Jan 5, 2020 · 4 comments
Open

Separate network sniffer to different process to reduce sudo exposure #76

arkarkark opened this issue Jan 5, 2020 · 4 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@arkarkark
Copy link

Right now bandwhich is built from 153 packages (from the cargo install count). That's a really large attack surface for an app that's going to run under sudo.
Could the app be split into two processes? one of which runs as the user and handles the display, the other (with a smaller number of dependencies) as root to access just the network traffic and pass it to the user process.

I'd really like to be able to run the process as me. Then that process tries to sudo the network grabbing process with the required password if sudo requires it.
@imsnif
Copy link
Owner

imsnif commented Jan 5, 2020

I'll point out that under linux (maybe there's also a way under mac?) one could only give the app the specific permissions it needs for the network and then not use sudo:

sudo setcap cap_net_raw,cap_net_admin=+ep "$HOME/.cargo/bin/bandwhich"

Even doing this though, you raise an interesting point. How do you think this would work, UX-wise? The tool would ask me for my root password? Personally I would feel less safe giving an app my actual password. Do you have a different idea?

As for the deps, we use the --locked flag in cargo when we build the release (in all forms of packaging as well as the releases here). But I of course understand and admit that while new things aren't likely to pop-up, I have not thoroughly audited all dependencies and transient dependencies before using them.

@arkarkark
Copy link
Author

indeed I wouldn't want to give an app my root password. Plus some systems use different ways to authenticate for sudo access (2 factor etc).

I think the easiest way to get this to work is to have the network binary have to be run with sudo. then it starts up the UI binary as the $SUDO_USER user.

a nicety would be if the network stuff fails and the command was run without sudo, then to restart the process with sudo but that's not really a division of privileges thing.

@imsnif
Copy link
Owner

imsnif commented Jan 5, 2020

Ah - I understand now. This sounds like a good change. Thanks!

We would have to find a way to transfer the utilization information between the processes (I'm guessing IPC, unless there are other better options I'm not aware of) - and be sure that doesn't hurt performance for a large volume of connections.

Would you be interested in working on this?

@arkarkark
Copy link
Author

I'm afraid I have zero rust experience and a security related change would very likely be a terrible first project.

@imsnif imsnif added the help wanted Extra attention is needed label Jan 5, 2020
@imsnif imsnif changed the title reduce risk of running app under sudo Separate network sniffer to different process to reduce sudo exposure Jan 5, 2020
@imsnif imsnif added the enhancement New feature or request label Jan 11, 2020
@sigmaSd sigmaSd mentioned this issue Feb 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@imsnif @arkarkark