Obligatory advice that you shouldn't run tcpdump, tshark or wireshark as root or with sudo. Instead, set up least privileges (e.g. with capabilities) or at least use the tcpdump flag `-Z` (may be enabled by default at compile time in your distribution). Debian has a group called "wireshark" for this use case by default.
These other responses are great justification to always dig into what someone's threat model is. I've had so many "security" conversations get resolved something like this:
other dev: this is insecure
me: what's your threat model?
other dev: <convoluted, opportunistic-only highly-timing-sensitive scenario that assumes attacker has gained internal network access>
me: you do realize all our boxes have an "admin:password"-esque standard login available and passwordless sudo. if they're on our network they can already just do basically anything.
People (well, devs) love to think about security in very fine-grained detail, and honestly that's good. We should all be thinking about this. But your security is only as good as your weakest link, and when your security policy already literally codifies "we will trust the firewall to make intranet security less annoying/complicated" then unless you want to go change that or your threat model is describing an attack on that security model, then please don't try to get overly clever.
Now - that said - I do wish more orgs just did defense-in-depth from the beginning. It's so easy to provision certs nowadays that there's almost no reason not to do mTLS etc even in something like a homelab setting.
This isn't a convoluted, timing-sensitive scenario; it's more like, there is the possibility that if you have tcpdump running anywhere, an attacker can strobe a packet that will trip a memory corruption vulnerability in some tcpdump printer, which is not, like, out of the realm of possibility.
These tools are parsing untrusted input (tshark and wireshark are parsing a very large number of different protocols), and considering these are all written in a memory unsafe language (C), they are at a high risk of remote command execution vulnerabilities. And since they don't actually require root permissions, just permission to access raw sockets and a few other network related things, it's simply best practices to use as little privileges as possible and only as much as necessary.
While the principle itself is sound, this is seriously exaggerating the threat. I mean sure the tools are written in C, but so is your whole network stack.
Have your prod boxes set up with proper permissions for sure but there's hardly a practical risk doing this in dev/testing.
I find it even more convenient to just add my user account to the correct group. Now I can call tcpdump anytime without having to invoke sudo. I get more security and convenience at the same time, so why not do it? I recommend giving the nmap binary the right capabilities for exactly the same reason.
I agree in theory, but on my personal machine (and probably most other peoples' machines) all the interesting things are accessible by my account anyway. I'm not worried about malware changing my system configuration, I'm worried about a trojan stealing my passwords, keylogger watching what I type, stealer exfiltrating my data, or ransomware encrypting it. All of these don't really need a root account. Maybe the solution would be to use `sudo -u safe_tcpdump_user tcpdump`?
I'm also going to add that I have passwordless sudo, so there's no meaningful difference in my case.
Root escalation was kinda Big Deal in the days of multi-user systems and cohosting. Now I think it's mostly important in the context of breaking out from unprivileged services that would normally have no access to broader filesystem.
Weird security posture to be advertising to the world when two clicks gets me your first and last name
Assuming you care about infosec from your profile, privilege escalation is definitely something you want to avoid especially if you're using these tools in for example a CTF engagement where the first thing I'll be doing is enumerating my adversaries
tcpdump is risky because it parses (way, way) more protocols than your network stack does, and because tcpdump's parsers are tooling-grade code, not kernel network code.
I mean yes it's relatively more risky but no it's not risky enough for me to not do occasional sudo tcpdump -X on an unconfigured machine in a problematic spot. The risk of me getting targeted by tcpdump zero-day while diagnosing some UDP broadcast problem on a LAN is diminutively low. Your situation is likely very different.
No, I mean, I generally agree, it's not high on my list of threat vectors, but the general advice to be mindful about a giant memory-unsafe blob of tooling-grade protocol parsers written by hundreds of different people over 3 decades seems astute.
Tcpdump is a unique codebase, has its own flaws/issues, and most certainly can be vulnerable, even if the overall stack is not.
Run nothing as root, unless absolutely required. And this had nothing to do with C or rust, running rust based software, any software as root, when not required,is unnecessary, and risky as well.
Nothing is safe. Behave that way, or you do your oeg, and yourself, wrong. And its not OK to treat a dev env as fine to get compromised.
Many orgs get borked by someone taking over dev machines, or infra, and sliding in that way.
I think the point is that so what if you don't run these tools as root?
If a malicious actor compromises your normal user account, they can also compromise your configuration files and alias sudo or set up a keylogger or do all kinds of nasty stuff.
Going from standard user to root isn't much of a challenge for all but the most minimal infections in almost every standard setup for common Linux distributions.
Malicious hackers don't need anything other than your current user permissions anyway; your API/ssh keys/crypto wallets are all stored in your home directory or other places a malicious program can get access to.
There are exceptions, but I very much doubt that most people develop on QubesOS levels of Linux security.
There is no practical antivirus software on Linux that will catch anyone sophisticated enough to exploit tcpdump. You need a LOT of know-how to run a "safe" Linux system that you're more likely to learn as a sysadmin than as a developer. Security is hard, especially on the Linux desktop, and it will be as long as attempts to add it are met with responses like "they're trying to take our freedom away".
Common internet resources aren't much better ("just disable selinux") and current solutions for usability problems in this space (i.e. sandboxed applications not being able to access the directories you chose because they don't correspond to what the dev expected) aren't very great either.
I definitely think we should use the resources for secure desktop computing that we do have, which includes running tshark and friends at the lowest level of privilege possible, but I can definitely understand why people ask "why should I bother" when most of their setup runs at Windows XP levels of security out of the box.
> Malicious hackers don't need anything other than your current user permissions anyway; your API/ssh keys/crypto wallets are all stored in your home directory or other places a malicious program can get access to.
I mean, are you really running tcpdump on your local computer? I imagine you would be running it on the server you are trying to debug. So the security setup would plausibly be a bit different than that.
But generally i agree. Good practise not to run things as root, especially this type of tooling, but its not exactly putting your private key into a public git repo level of insecurity by any means.
> I mean, are you really running tcpdump on your local computer?
I did several times when I needed to debug or record some traffic because I couldn't figure out why some application wasn't communicating right. Wireshark quickly got overwhelmed with packets so I used tcpdump instead.
I'm most likely running tcpdump on (near) production servers because it's often a tool of last result, but sometimes it's just the right tool for the job (or just as good a tool as the fancier ones, and why not stick to the universal solution?).
> Run nothing as root, unless absolutely required.
Good advice, to be sure. Especially anything getting network input[1].
In a reddit thread once, I pointed out that there is no need for any server/service program to have any access to the file holding the startup configuration. There really isn't.
If the user needs to write that configuration, use a different program with elevated privileges that do nothing but write that file.
When the server starts up and needs to read config, it should start up as a user with elevated privileges, read the entire file in the first 3 lines of `main()`, then drop privileges and continue execution as normal. It will never be able to access that file during the rest of its execution.
I don't think I've ever had a comment downvoted on reddit so hard!
[1] No need to say "untrusted network input" - all input is untrusted unless you are literally in control of both parties.
This would add complexity and in particular couple the application to a specific combination of operating system/privileges model/file system. How great is the benefit, really? How many things are exploited by the application writing to its own startup config?
It would add fair bit of code, sure, but nicely isolated and not complex: It's three extra lines of code in the main function, and a separate utility to write the config.
Balance that against the fact that the server then never writes its own config - that code is moved into the configuration-writing application, which removes complexity from the server application.
> and in particular couple the application to a specific combination of operating system/privileges model/file system.
It does indeed couple it to those systems that are sufficiently POSIX-like; however if you are writing a server that doesn't run on a Linux or BSD-derived system, you are out in the left field anyway.
> How great is the benefit, really? How many things are exploited by the application writing to its own startup config?
Well, the comment I made was in a thread discussing a vulnerability in the Microsoft Teams application[1] which was exploitable to retrieve the user's secrets[2] from their config file.
So, that particular comment was very much on-topic and in-context.
[1] Not sure if it was on all platforms or not.
[2] Or something - I forget exactly what was leaked.
most methods of getting persistence involve writing to some config file somewhere. Having your app not have rights to write to any sort of config or code files probably is fairly beneficial.
How much is probably going to depends on how everything is configured, what your threat model is, what service it is, and a million other things.
Interesting idea, I quite like it. At the same time we have things like kubernetes, where most people store secrets in the environment variables that every single process in the container can read.
Sometimes when no other options exist, and I need to capture untrusted traffic as root, I use 'tcpdump -i eth0 -s0 -n -w some.pcap' to save the packets to a .pcap. Just recording the frames shouldn't (invoke any parsing code although I have never actually checked). Then I open the .pcap with wire/tshark or even tcpdump in some safer sandbox.
You can also send the pcap to stdout and pipe it to stdin of a tshark running as non-root. And if you provide the right capture filters on tcpdump you can even have the tcpdump in an ssh session piping to a local tshark so you don’t even have to have tshark on the server.
