100 lines
3.2 KiB
Diff
100 lines
3.2 KiB
Diff
diff -up tcpdump-4.2.1/tcpdump.1.in.eperm tcpdump-4.2.1/tcpdump.1.in
|
|
--- tcpdump-4.2.1/tcpdump.1.in.eperm 2012-05-16 15:46:55.009494388 +0200
|
|
+++ tcpdump-4.2.1/tcpdump.1.in 2012-05-16 15:47:16.860299598 +0200
|
|
@@ -214,6 +214,9 @@ have the name specified with the
|
|
flag, with a number after it, starting at 1 and continuing upward.
|
|
The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
|
|
not 1,048,576 bytes).
|
|
+
|
|
+Note that when used with \fB\-Z\fR option (enabled by default), privileges
|
|
+are dropped before opening first savefile.
|
|
.TP
|
|
.B \-d
|
|
Dump the compiled packet-matching code in a human readable form to
|
|
@@ -650,7 +653,9 @@ but before opening any savefiles for out
|
|
and the group ID to the primary group of
|
|
.IR user .
|
|
.IP
|
|
-This behavior can also be enabled by default at compile time.
|
|
+This behavior is enabled by default (\fB\-Z tcpdump\fR), and can
|
|
+be disabled by \fB\-Z root\fR.
|
|
+
|
|
.IP "\fI expression\fP"
|
|
.RS
|
|
selects which packets will be dumped.
|
|
diff -up tcpdump-4.2.1/tcpdump.c.eperm tcpdump-4.2.1/tcpdump.c
|
|
--- tcpdump-4.2.1/tcpdump.c.eperm 2012-05-16 15:46:28.321732801 +0200
|
|
+++ tcpdump-4.2.1/tcpdump.c 2012-05-16 15:46:42.642604795 +0200
|
|
@@ -1289,9 +1289,27 @@ main(int argc, char **argv)
|
|
* Switching to the -Z user ID only after opening the first
|
|
* savefile doesn't handle the general case.
|
|
*/
|
|
- if (getuid() == 0 || geteuid() == 0) {
|
|
- if (username || chroot_dir)
|
|
- droproot(username, chroot_dir);
|
|
+
|
|
+ /* If user is running tcpdump as root and wants to write to the savefile,
|
|
+ * we will check if -C is set and if it is, we will drop root
|
|
+ * privileges right away and consequent call to pcap_dump_open()
|
|
+ * will most likely fail for the first file. If -C flag is not set we
|
|
+ * will create file as root then change ownership of file to proper
|
|
+ * user(default tcpdump) and drop root privileges.
|
|
+ */
|
|
+ int chown_flag = 0;
|
|
+ if (WFileName && (getuid() == 0 || geteuid() == 0)) {
|
|
+ if (Cflag != 0) {
|
|
+ if (username || chroot_dir)
|
|
+ droproot(username, chroot_dir);
|
|
+ } else {
|
|
+ chown_flag = 1;
|
|
+ }
|
|
+ } else {
|
|
+ if (getuid() == 0 || geteuid() == 0) {
|
|
+ if (username || chroot_dir)
|
|
+ droproot(username, chroot_dir);
|
|
+ }
|
|
}
|
|
#endif /* WIN32 */
|
|
|
|
@@ -1312,6 +1330,40 @@ main(int argc, char **argv)
|
|
MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
|
|
|
|
p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
|
|
+
|
|
+ /* Change ownership of file and drop root privileges */
|
|
+ if (chown_flag) {
|
|
+ struct passwd pwd;
|
|
+ struct passwd *p_pwd;
|
|
+ char *username_buf;
|
|
+ long initlen;
|
|
+ size_t len;
|
|
+
|
|
+ initlen = sysconf(_SC_GETPW_R_SIZE_MAX);
|
|
+ if (initlen == -1) {
|
|
+ len = 1024;
|
|
+ } else {
|
|
+ len = (size_t) initlen;
|
|
+ }
|
|
+
|
|
+ username_buf = (char *) malloc(len * sizeof(char));
|
|
+ if (username_buf == NULL) {
|
|
+ error("malloc of username_buf");
|
|
+ }
|
|
+
|
|
+ getpwnam_r(username, &pwd, username_buf, len, &p_pwd);
|
|
+ if (p_pwd == NULL) {
|
|
+ error("Couldn't find user '%s'", username);
|
|
+ }
|
|
+
|
|
+ chown(dumpinfo.CurrentFileName, pwd.pw_uid, pwd.pw_gid);
|
|
+
|
|
+ if (username || chroot_dir)
|
|
+ droproot(username, chroot_dir);
|
|
+
|
|
+ free(username_buf);
|
|
+ }
|
|
+
|
|
if (p == NULL)
|
|
error("%s", pcap_geterr(pd));
|
|
if (Cflag != 0 || Gflag != 0) {
|