Don't drop CAP_SYS_CHROOT before chrooting.

[tcpdump] / tcpdump.c

diff --git a/tcpdump.c b/tcpdump.c
index e0237061902a89817cd7866d5deaf97d0dc1a682..4f31c2830e91f4cd2d957ca8750496a3ca9955a3 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -577,12 +577,13 @@ droproot(const char *username, const char *chroot_dir)
                exit(1);
        }
 #ifdef HAVE_LIBCAP_NG
-       /* We don't need CAP_SETUID and CAP_SETGID any more. */
+       /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */
        capng_updatev(
                CAPNG_DROP,
                CAPNG_EFFECTIVE | CAPNG_PERMITTED,
                CAP_SETUID,
                CAP_SETGID,
+               CAP_SYS_CHROOT,
                -1);
        capng_apply(CAPNG_SELECT_BOTH);
 #endif /* HAVE_LIBCAP_NG */
@@ -1592,6 +1593,13 @@ main(int argc, char **argv)
                                CAP_SETGID,
                                -1);
                }
+               if (chroot_dir) {
+                       capng_update(
+                               CAPNG_ADD,
+                               CAPNG_PERMITTED | CAPNG_EFFECTIVE,
+                               CAP_SYS_CHROOT
+                               );
+               }
 
                if (WFileName) {
                        capng_update(