Separate network sniffer to different process to reduce sudo exposure · imsnif/bandwhich#76

(4 评论) (2 反应) (0 负责人)Rust (7,686 star) (237 fork)batch import

enhancementhelp wanted

描述

Right now bandwhich is built from 153 packages (from the cargo install count). That's a really large attack surface for an app that's going to run under sudo. Could the app be split into two processes? one of which runs as the user and handles the display, the other (with a smaller number of dependencies) as root to access just the network traffic and pass it to the user process.

I'd really like to be able to run the process as me. Then that process tries to sudo the network grabbing process with the required password if sudo requires it.

贡献者指南

技术栈: rust
领域: clisecurity
议题类型: feature
难度: 4
预计时间: over 1 week
活动状态: stale
清晰度: needs investigation
前置要求: RustLinux system programmingIPC concepts
新手友好度: 15
研究方向: Examine the current architecture in src/ to understand how network sniffing and display are integrated. Look for existing socket based IPC or process forking mechanisms. The comments may discuss alternative approaches, such as using a daemon process. Investigate using Unix domain sockets to pass data from a privileged sniffer process to an unprivileged display process, minimizing sudo exposure.