#include <errno.h>
#endif /* WIN32 */
+/* capabilities convinience library */
+#ifdef HAVE_CAP_NG_H
+#include <cap-ng.h>
+#endif /* HAVE_CAP_NG_H */
#include "netdissect.h"
#include "interface.h"
#if defined(DLT_PFLOG) && defined(HAVE_NET_PFVAR_H)
{ pflog_if_print, DLT_PFLOG },
#endif
-#if defined(DLT_PFSYNC) && defined(HAVE_NET_PFVAR_H)
- { pfsync_if_print, DLT_PFSYNC },
-#endif
#ifdef DLT_FR
{ fr_if_print, DLT_FR },
#endif
dlts[n_dlts]);
}
}
+#ifdef HAVE_PCAP_FREE_DATALINKS
pcap_free_datalinks(dlts);
+#endif
exit(0);
}
exit(1);
}
}
+#ifdef HAVE_CAP_NG_H
+ int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
+ if (ret < 0) {
+ printf("error : ret %d\n", ret);
+ }
+ /* We don't need CAP_SETUID and CAP_SETGID */
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_SETUID);
+ capng_apply(CAPNG_SELECT_BOTH);
+
+#else
if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
pcap_strerror(errno));
exit(1);
}
+#endif /* HAVE_CAP_NG_H */
}
else {
fprintf(stderr, "tcpdump: Couldn't find user '%.32s'\n",
packettype = PT_AODV;
else if (strcasecmp(optarg, "carp") == 0)
packettype = PT_CARP;
+ else if (strcasecmp(optarg, "radius") == 0)
+ packettype = PT_RADIUS;
else
error("unknown packet type `%s'", optarg);
break;
* Switching to the -Z user ID only after opening the first
* savefile doesn't handle the general case.
*/
+
+#ifdef HAVE_CAP_NG_H
+ /* We are running as root and we will be writing to savefile */
+ if ((getuid() == 0 || geteuid() == 0) && WFileName) {
+ if (username) {
+ /* Drop all capabilities from effective set */
+ capng_clear(CAPNG_EFFECTIVE);
+ /* Add capabilities we will need*/
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_SETUID);
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_SETGID);
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_OVERRIDE);
+
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_SETGID);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+
+ capng_apply(CAPNG_SELECT_BOTH);
+ }
+ }
+#endif /* HAVE_CAP_NG_H */
+
if (getuid() == 0 || geteuid() == 0) {
if (username || chroot_dir)
droproot(username, chroot_dir);
+
}
#endif /* WIN32 */
MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
+#ifdef HAVE_CAP_NG_H
+ /* Give up capabilities, clear Effective set */
+ capng_clear(CAPNG_EFFECTIVE);
+#endif
if (p == NULL)
error("%s", pcap_geterr(pd));
if (Cflag != 0 || Gflag != 0) {
else
MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0);
+#ifdef HAVE_CAP_NG_H
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+ capng_apply(CAPNG_EFFECTIVE);
+#endif /* HAVE_CAP_NG_H */
dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
+#ifdef HAVE_CAP_NG_H
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+ capng_apply(CAPNG_EFFECTIVE);
+#endif /* HAVE_CAP_NG_H */
if (dump_info->p == NULL)
error("%s", pcap_geterr(pd));
}
projects / tcpdump / blobdiff