Merge pull request #500 from atsampson/master

[tcpdump] / tcpdump.c

diff --git a/tcpdump.c b/tcpdump.c
index 03bf00f1a9d79a75e409f7f07603f6a2af88e327..73bf1387659d7533ae62473a8c0934a5e1a4d793 100644 (file)
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -643,12 +643,13 @@ droproot(const char *username, const char *chroot_dir)
                exit_tcpdump(1);
        }
 #ifdef HAVE_LIBCAP_NG
-       /* We don't need CAP_SETUID and CAP_SETGID any more. */
+       /* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */
        capng_updatev(
                CAPNG_DROP,
                CAPNG_EFFECTIVE | CAPNG_PERMITTED,
                CAP_SETUID,
                CAP_SETGID,
+               CAP_SYS_CHROOT,
                -1);
        capng_apply(CAPNG_SELECT_BOTH);
 #endif /* HAVE_LIBCAP_NG */
@@ -1825,6 +1826,13 @@ main(int argc, char **argv)
                                CAP_SETGID,
                                -1);
                }
+               if (chroot_dir) {
+                       capng_update(
+                               CAPNG_ADD,
+                               CAPNG_PERMITTED | CAPNG_EFFECTIVE,
+                               CAP_SYS_CHROOT
+                               );
+               }
 
                if (WFileName) {
                        capng_update(