[tcpdump] Fix file permissions and ownership #809368
Michal Sekletar
msekleta at fedoraproject.org
Wed May 16 14:31:53 UTC 2012
commit aca9b7aa9d0f6aaa79e745f83df31f42a16c30b2
Author: Michal Sekletar <msekleta at redhat.com>
Date: Wed May 16 16:30:56 2012 +0200
Fix file permissions and ownership #809368
tcpdump-4.2.1-eperm.patch | 99 +++++++++++++++++++++++++++++++++++++++++++++
tcpdump.spec | 20 ++++++---
2 files changed, 112 insertions(+), 7 deletions(-)
---
diff --git a/tcpdump-4.2.1-eperm.patch b/tcpdump-4.2.1-eperm.patch
new file mode 100644
index 0000000..431edef
--- /dev/null
+++ b/tcpdump-4.2.1-eperm.patch
@@ -0,0 +1,99 @@
+diff -up tcpdump-4.2.1/tcpdump.1.in.eperm tcpdump-4.2.1/tcpdump.1.in
+--- tcpdump-4.2.1/tcpdump.1.in.eperm 2012-05-16 15:46:55.009494388 +0200
++++ tcpdump-4.2.1/tcpdump.1.in 2012-05-16 15:47:16.860299598 +0200
+@@ -214,6 +214,9 @@ have the name specified with the
+ flag, with a number after it, starting at 1 and continuing upward.
+ The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
+ not 1,048,576 bytes).
++
++Note that when used with \fB\-Z\fR option (enabled by default), privileges
++are dropped before opening first savefile.
+ .TP
+ .B \-d
+ Dump the compiled packet-matching code in a human readable form to
+@@ -650,7 +653,9 @@ but before opening any savefiles for out
+ and the group ID to the primary group of
+ .IR user .
+ .IP
+-This behavior can also be enabled by default at compile time.
++This behavior is enabled by default (\fB\-Z tcpdump\fR), and can
++be disabled by \fB\-Z root\fR.
++
+ .IP "\fI expression\fP"
+ .RS
+ selects which packets will be dumped.
+diff -up tcpdump-4.2.1/tcpdump.c.eperm tcpdump-4.2.1/tcpdump.c
+--- tcpdump-4.2.1/tcpdump.c.eperm 2012-05-16 15:46:28.321732801 +0200
++++ tcpdump-4.2.1/tcpdump.c 2012-05-16 15:46:42.642604795 +0200
+@@ -1289,9 +1289,27 @@ main(int argc, char **argv)
+ * Switching to the -Z user ID only after opening the first
+ * savefile doesn't handle the general case.
+ */
+- if (getuid() == 0 || geteuid() == 0) {
+- if (username || chroot_dir)
+- droproot(username, chroot_dir);
++
++ /* If user is running tcpdump as root and wants to write to the savefile,
++ * we will check if -C is set and if it is, we will drop root
++ * privileges right away and consequent call to pcap_dump_open()
++ * will most likely fail for the first file. If -C flag is not set we
++ * will create file as root then change ownership of file to proper
++ * user(default tcpdump) and drop root privileges.
++ */
++ int chown_flag = 0;
++ if (WFileName && (getuid() == 0 || geteuid() == 0)) {
++ if (Cflag != 0) {
++ if (username || chroot_dir)
++ droproot(username, chroot_dir);
++ } else {
++ chown_flag = 1;
++ }
++ } else {
++ if (getuid() == 0 || geteuid() == 0) {
++ if (username || chroot_dir)
++ droproot(username, chroot_dir);
++ }
+ }
+ #endif /* WIN32 */
+
+@@ -1312,6 +1330,40 @@ main(int argc, char **argv)
+ MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
+
+ p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
++
++ /* Change ownership of file and drop root privileges */
++ if (chown_flag) {
++ struct passwd pwd;
++ struct passwd *p_pwd;
++ char *username_buf;
++ long initlen;
++ size_t len;
++
++ initlen = sysconf(_SC_GETPW_R_SIZE_MAX);
++ if (initlen == -1) {
++ len = 1024;
++ } else {
++ len = (size_t) initlen;
++ }
++
++ username_buf = (char *) malloc(len * sizeof(char));
++ if (username_buf == NULL) {
++ error("malloc of username_buf");
++ }
++
++ getpwnam_r(username, &pwd, username_buf, len, &p_pwd);
++ if (p_pwd == NULL) {
++ error("Couldn't find user '%s'", username);
++ }
++
++ chown(dumpinfo.CurrentFileName, pwd.pw_uid, pwd.pw_gid);
++
++ if (username || chroot_dir)
++ droproot(username, chroot_dir);
++
++ free(username_buf);
++ }
++
+ if (p == NULL)
+ error("%s", pcap_geterr(pd));
+ if (Cflag != 0 || Gflag != 0) {
diff --git a/tcpdump.spec b/tcpdump.spec
index 3905ad2..c0d1d3c 100644
--- a/tcpdump.spec
+++ b/tcpdump.spec
@@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
Name: tcpdump
Epoch: 14
Version: 4.2.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: BSD with advertising
URL: http://www.tcpdump.org
Group: Applications/Internet
@@ -16,9 +16,10 @@ Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
Patch1: tcpdump-4.0.0-portnumbers.patch
Patch2: tcpdump-4.0.0-icmp6msec.patch
Patch3: tcpdump-3.9.8-gethostby.patch
-Patch4: tcpslice-1.2a3-time.patch
-Patch5: tcpslice-CVS.20010207-bpf.patch
-Patch6: tcpslice-1.2a3-dateformat.patch
+Patch4: tcpdump-4.2.1-eperm.patch
+Patch5: tcpslice-1.2a3-time.patch
+Patch6: tcpslice-CVS.20010207-bpf.patch
+Patch7: tcpslice-1.2a3-dateformat.patch
%define tcpslice_dir tcpslice-1.2a3
@@ -36,11 +37,12 @@ Install tcpdump if you need a program to monitor network traffic.
%patch1 -p1 -b .portnumbers
%patch2 -p1 -b .icmp6msec
%patch3 -p1 -b .gethostby
+%patch4 -p1 -b .eperm
pushd %{tcpslice_dir}
-%patch4 -p1 -b .time
-%patch5 -p1 -b .bpf
-%patch6 -p1 -b .dateformat
+%patch5 -p1 -b .time
+%patch6 -p1 -b .bpf
+%patch7 -p1 -b .dateformat
popd
find . -name '*.c' -o -name '*.h' | xargs chmod 644
@@ -93,6 +95,10 @@ exit 0
%{_mandir}/man8/tcpdump.8*
%changelog
+* Wed May 16 2012 Michal Sekletar <msekleta at redhat.com>
+- Resolves: #809638
+- created savefile has proper owner
+
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 14:4.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list