Separate network sniffer to different process to reduce sudo exposure · imsnif/bandwhich#76

(4 留言) (2 反應) (0 負責人)Rust (7,686 star) (237 fork)batch import

enhancementhelp wanted

描述

Right now bandwhich is built from 153 packages (from the cargo install count). That's a really large attack surface for an app that's going to run under sudo. Could the app be split into two processes? one of which runs as the user and handles the display, the other (with a smaller number of dependencies) as root to access just the network traffic and pass it to the user process.

I'd really like to be able to run the process as me. Then that process tries to sudo the network grabbing process with the required password if sudo requires it.

貢獻者指南

技術棧: rust
領域: clisecurity
議題類型: feature
難度: 4
預計時間: over 1 week
活動狀態: stale
清晰度: needs investigation
前置要求: RustLinux system programmingIPC concepts
新手友善度: 15
研究方向: Examine the current architecture in src/ to understand how network sniffing and display are integrated. Look for existing socket based IPC or process forking mechanisms. The comments may discuss alternative approaches, such as using a daemon process. Investigate using Unix domain sockets to pass data from a privileged sniffer process to an unprivileged display process, minimizing sudo exposure.