From ec4e1a40fcf43d96a121a1ead877f2db4953dabb Mon Sep 17 00:00:00 2001

From: rpm-build <rpm-build>

Date: Wed, 25 Mar 2015 13:13:49 +0100

Subject: [PATCH] Drop root priviledges before opening first savefile if

 running with -Z root

---

 tcpdump.1.in |  7 ++++++-

 tcpdump.c    | 35 ++++++++++++++++++++++++++++++++---

 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/tcpdump.1.in b/tcpdump.1.in

index f9522cb..3f1bc5f 100644

--- a/tcpdump.1.in

+++ b/tcpdump.1.in

@@ -249,6 +249,9 @@ have the name specified with the

 flag, with a number after it, starting at 1 and continuing upward.

 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,

 not 1,048,576 bytes).

+

+Note that when used with \fB\-Z\fR option (enabled by default), privileges

+are dropped before opening first savefile.

 .TP

 .B \-d

 Dump the compiled packet-matching code in a human readable form to

@@ -865,7 +868,9 @@ but before opening any savefiles for output, change the user ID to

 and the group ID to the primary group of

 .IR user .

 .IP

-This behavior can also be enabled by default at compile time.

+This behavior is enabled by default (\fB\-Z tcpdump\fR), and can

+be disabled by \fB\-Z root\fR.

+

 .IP "\fI expression\fP"

 .RS

 selects which packets will be dumped.

diff --git a/tcpdump.c b/tcpdump.c

index 2fd1617..4cbeb05 100644

--- a/tcpdump.c

+++ b/tcpdump.c

@@ -1029,6 +1029,7 @@ main(int argc, char **argv)

 	cap_rights_t rights;

 	int cansandbox;

 #endif	/* HAVE_CAPSICUM */

+        int chown_flag = 0;

 #ifdef WIN32

 	if(wsockinit() != 0) return 1;

@@ -1841,10 +1842,23 @@ main(int argc, char **argv)

 		}

 		capng_apply(CAPNG_SELECT_BOTH);

 #endif /* HAVE_LIBCAP_NG */

-		if (username || chroot_dir)

-			droproot(username, chroot_dir);

+		/* If user is running tcpdump as root and wants to write to the savefile,

+		 * we will check if -C is set and if it is, we will drop root

+		 * privileges right away and consequent call to	pcap_dump_open()

+		 * will most likely fail for the first file. If -C flag is not set we

+		 * will create file as root then change ownership of file to proper

+		 * user(default tcpdump) and drop root privileges.

+		 */

+		if (WFileName)

+			if (Cflag && (username || chroot_dir))

+				droproot(username, chroot_dir);

+			else

+				chown_flag = 1;

+		else

+			if (username || chroot_dir)

+                                droproot(username, chroot_dir);

+        }

-	}

 #endif /* WIN32 */

 	if (pcap_setfilter(pd, &fcode) < 0)

@@ -1879,6 +1893,21 @@ main(int argc, char **argv)

 		  MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);

 		p = pcap_dump_open(pd, dumpinfo.CurrentFileName);

+

+		/* Change ownership of file and drop root privileges */

+		if (chown_flag) {

+			struct passwd *pwd;

+

+			pwd = getpwnam(username);

+			if (!pwd)

+				error("Couldn't find user '%s'", username);

+

+			if (strcmp(WFileName, "-") && chown(dumpinfo.CurrentFileName, pwd->pw_uid, pwd->pw_gid) < 0)

+				error("Couldn't change ownership of savefile");

+

+			if (username || chroot_dir)

+				droproot(username, chroot_dir);

+		}

 #ifdef HAVE_LIBCAP_NG

 		/* Give up CAP_DAC_OVERRIDE capability.

 		 * Only allow it to be restored if the -C or -G flag have been

--

2.3.4