[tonywebster]

The author used `tcpdump -i lo0 -s 65535 -w info.pcap` which, as a non-root user without sudo, successfully captures loopback traffic in OS X 10.11.3.

I just tried it, and with Chrome and 1Password, I was able to see my auto-filled bank password in the pcap. So, I presume any process on my system, without root privileges, would be able to sniff loopback.

I don't see why 1Password wouldn't use TLS here. This is not good.

[tptacek]

Your system is misconfigured.

    > $ tcpdump -i lo0 -s 65535 -w info.pcap                                                 
    tcpdump: lo0: You don't have permission to capture on that device
    ((cannot open BPF device) /dev/bpf0: Permission denied)

[eclipxe]

I'm on OS X 10.11.3:

tcpdump -i lo0 -s 65535 -w info.pcap tcpdump: lo0: You don't have permission to capture on that device ((cannot open BPF device) /dev/bpf0: Permission denied)

[tonywebster]

This is a fresh OS X install on a test machine :/

[tptacek]

I don't know what to tell you. Normal users can't tcpdump loopback on OSX, or anywhere else.

    > $ ls -l /dev/bpf*                                                                      
    crw-------  1 root  wheel   23,   0 Feb 29 07:59 /dev/bpf0
    crw-------  1 root  wheel   23,   1 Feb 29 07:59 /dev/bpf1
    crw-------  1 root  wheel   23,   2 Mar  2 11:11 /dev/bpf2
    crw-------  1 root  wheel   23,   3 Mar  2 10:07 /dev/bpf3
    crw-------  1 root  wheel   23,   4 Feb 29 08:11 /dev/bpf4

[tshtf]

Works for me too on OS X. sudo is not needed to run tcpdump for any interfaces.

$ ls -l /dev/bpf*

crw-rw---- 1 root access_bpf 23, 0 Mar 1 09:18 /dev/bpf0

Edit: Wireshark is installed

[tptacek]

Did you install Wireshark? Did you let it reconfigure your system? Is your current user in the "access_bpf" group?

Later

Yes. Your system is misconfigured. Don't let Wireshark do that.

[pvg]

It looks like Wireshark will happily keep your system permanently misconfigured. To fix it, disable

/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist

This actually seems like a much crummier thing than the 1Password non-thing.

[msbarnett]

    $ tcpdump -i lo0 -s 65535 -w info.pcap 
    tcpdump: lo0: You don't have permission to capture on that     device
    ((cannot open BPF device) /dev/bpf0: Permission denied)

Looks like you're logged in on a superuser account or have otherwise somehow disable some security settings.

[yborg]

I also can't access loopback on 10.11.3, I get this exact error. And I'm running as an Administrator account.

[msbarnett]

Yeah, it's that they installed Wireshark, and gave it privileges to chown the loopback interfaces.

edit: Irony here is that Wireshark is doing something far more dangerous than 1password.

[jlgaddis]

It's either a) change the group on the /dev/bpf entries and add your user to that group or b) run Wireshark as root.

[msbarnett]

b) would in general be a lot safer, in that you're elevating one process rather than lowering a privileged interface so that every process you run can sniff it.

[julie78787]

Correct - Least Privilege says you do the absolute least you need to do in order to make things work, so that any errors are limited to that one part of the system.

What's been done here by Wireshark isn't least privilege, or secure. Its like the opposite of least privilege and security.

[lttlrck]

On Linux you can give an executable admin access to network devices with setcap which narrows it down further. Is the same possible on OS X?

Edit. Actually this is worse than running as root isn't it!

[cyphar]

setcap is in principle better than setuid if your program is something like ping. Or in this case, wireshark.