#include <errno.h>
#endif /* WIN32 */
+/* capabilities convinience library */
+#ifdef HAVE_CAP_NG_H
+#include <cap-ng.h>
+#endif /* HAVE_CAP_NG_H */
#include "netdissect.h"
#include "interface.h"
#define NAME_MAX 255
#endif
+#ifdef SIGINFO
+#define SIGNAL_REQ_INFO SIGINFO
+#elif SIGUSR1
+#define SIGNAL_REQ_INFO SIGUSR1
+#endif
+
netdissect_options Gndo;
netdissect_options *gndo = &Gndo;
static void dump_packet_and_trunc(u_char *, const struct pcap_pkthdr *, const u_char *);
static void dump_packet(u_char *, const struct pcap_pkthdr *, const u_char *);
static void droproot(const char *, const char *);
-static void ndo_error(netdissect_options *ndo, const char *fmt, ...);
+static void ndo_error(netdissect_options *ndo, const char *fmt, ...)
+ __attribute__ ((noreturn, format (printf, 2, 3)));
static void ndo_warning(netdissect_options *ndo, const char *fmt, ...);
-#ifdef SIGINFO
+#ifdef SIGNAL_REQ_INFO
RETSIGTYPE requestinfo(int);
#endif
#endif
#ifdef DLT_PPI
{ ppi_if_print, DLT_PPI },
+#endif
+#ifdef DLT_NETANALYZER
+ { netanalyzer_if_print, DLT_NETANALYZER },
+#endif
+#ifdef DLT_NETANALYZER_TRANSPARENT
+ { netanalyzer_transparent_if_print, DLT_NETANALYZER_TRANSPARENT },
#endif
{ NULL, 0 },
};
dlts[n_dlts]);
}
}
+#ifdef HAVE_PCAP_FREE_DATALINKS
pcap_free_datalinks(dlts);
+#endif
exit(0);
}
exit(1);
}
}
+#ifdef HAVE_CAP_NG_H
+ int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
+ if (ret < 0) {
+ printf("error : ret %d\n", ret);
+ }
+ /* We don't need CAP_SETUID and CAP_SETGID */
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_SETUID);
+ capng_update(CAPNG_DROP, CAPNG_PERMITTED, CAP_SETUID);
+ capng_apply(CAPNG_SELECT_BOTH);
+
+#else
if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
pcap_strerror(errno));
exit(1);
}
+#endif /* HAVE_CAP_NG_H */
}
else {
fprintf(stderr, "tcpdump: Couldn't find user '%.32s'\n",
smiInit("tcpdump");
#endif
- opterr = 0;
while (
- (op = getopt(argc, argv, "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpqr:Rs:StT:u" U_FLAG "vw:W:xXy:Yz:Z:")) != -1)
+ (op = getopt(argc, argv, "aAb" B_FLAG "c:C:d" D_FLAG "eE:fF:G:hHi:" I_FLAG j_FLAG J_FLAG "KlLm:M:nNOpqr:Rs:StT:u" U_FLAG "vw:W:xXy:Yz:Z:")) != -1)
switch (op) {
case 'a':
break;
case 'h':
- ++hflag;
+ usage();
+ break;
+
+ case 'H':
+ ++Hflag;
break;
case 'i':
packettype = PT_TFTP;
else if (strcasecmp(optarg, "aodv") == 0)
packettype = PT_AODV;
+ else if (strcasecmp(optarg, "carp") == 0)
+ packettype = PT_CARP;
+ else if (strcasecmp(optarg, "radius") == 0)
+ packettype = PT_RADIUS;
else
error("unknown packet type `%s'", optarg);
break;
* Switching to the -Z user ID only after opening the first
* savefile doesn't handle the general case.
*/
+
+#ifdef HAVE_CAP_NG_H
+ /* We are running as root and we will be writing to savefile */
+ if ((getuid() == 0 || geteuid() == 0) && WFileName) {
+ if (username) {
+ /* Drop all capabilities from effective set */
+ capng_clear(CAPNG_EFFECTIVE);
+ /* Add capabilities we will need*/
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_SETUID);
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_SETGID);
+ capng_update(CAPNG_ADD, CAPNG_PERMITTED, CAP_DAC_OVERRIDE);
+
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_SETUID);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_SETGID);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+
+ capng_apply(CAPNG_SELECT_BOTH);
+ }
+ }
+#endif /* HAVE_CAP_NG_H */
+
if (getuid() == 0 || geteuid() == 0) {
if (username || chroot_dir)
droproot(username, chroot_dir);
+
}
#endif /* WIN32 */
MakeFilename(dumpinfo.CurrentFileName, WFileName, 0, 0);
p = pcap_dump_open(pd, dumpinfo.CurrentFileName);
+#ifdef HAVE_CAP_NG_H
+ /* Give up capabilities, clear Effective set */
+ capng_clear(CAPNG_EFFECTIVE);
+#endif
if (p == NULL)
error("%s", pcap_geterr(pd));
if (Cflag != 0 || Gflag != 0) {
pcap_userdata = (u_char *)&printinfo;
}
-#ifdef SIGINFO
+#ifdef SIGNAL_REQ_INFO
/*
* We can't get statistics when reading from a file rather
* than capturing from a device.
*/
if (RFileName == NULL)
- (void)setsignal(SIGINFO, requestinfo);
+ (void)setsignal(SIGNAL_REQ_INFO, requestinfo);
#endif
if (vflag > 0 && WFileName) {
else
MakeFilename(dump_info->CurrentFileName, dump_info->WFileName, 0, 0);
+#ifdef HAVE_CAP_NG_H
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+ capng_apply(CAPNG_EFFECTIVE);
+#endif /* HAVE_CAP_NG_H */
dump_info->p = pcap_dump_open(dump_info->pd, dump_info->CurrentFileName);
+#ifdef HAVE_CAP_NG_H
+ capng_update(CAPNG_DROP, CAPNG_EFFECTIVE, CAP_DAC_OVERRIDE);
+ capng_apply(CAPNG_EFFECTIVE);
+#endif /* HAVE_CAP_NG_H */
if (dump_info->p == NULL)
error("%s", pcap_geterr(pd));
}
ndo_default_print(gndo, bp, length);
}
-#ifdef SIGINFO
+#ifdef SIGNAL_REQ_INFO
RETSIGTYPE requestinfo(int signo _U_)
{
if (infodelay)
#endif /* WIN32 */
#endif /* HAVE_PCAP_LIB_VERSION */
(void)fprintf(stderr,
-"Usage: %s [-aAbd" D_FLAG "efh" I_FLAG J_FLAG "KlLnNOpqRStu" U_FLAG "vxX]" B_FLAG_USAGE " [ -c count ]\n", program_name);
+"Usage: %s [-aAbd" D_FLAG "efhH" I_FLAG J_FLAG "KlLnNOpqRStu" U_FLAG "vxX]" B_FLAG_USAGE " [ -c count ]\n", program_name);
(void)fprintf(stderr,
"\t\t[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]\n");
(void)fprintf(stderr,
projects / tcpdump / blobdiff