X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/ebb1d71845c89ee9683746668eea2b638652d7f4..6b8ed9649e08215cd2acf7702e178ce41b18d932:/tcpdump.c

diff --git a/tcpdump.c b/tcpdump.c
index 06c0ca13..73bf1387 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -643,12 +643,13 @@ droproot(const char *username, const char *chroot_dir)
 		exit_tcpdump(1);
 	}
 #ifdef HAVE_LIBCAP_NG
-	/* We don't need CAP_SETUID and CAP_SETGID any more. */
+	/* We don't need CAP_SETUID, CAP_SETGID and CAP_SYS_CHROOT any more. */
 	capng_updatev(
 		CAPNG_DROP,
 		CAPNG_EFFECTIVE | CAPNG_PERMITTED,
 		CAP_SETUID,
 		CAP_SETGID,
+		CAP_SYS_CHROOT,
 		-1);
 	capng_apply(CAPNG_SELECT_BOTH);
 #endif /* HAVE_LIBCAP_NG */
@@ -1825,6 +1826,13 @@ main(int argc, char **argv)
 				CAP_SETGID,
 				-1);
 		}
+		if (chroot_dir) {
+			capng_update(
+				CAPNG_ADD,
+				CAPNG_PERMITTED | CAPNG_EFFECTIVE,
+				CAP_SYS_CHROOT
+				);
+		}
 
 		if (WFileName) {
 			capng_update(
@@ -2322,6 +2330,7 @@ dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *s
 			if (Cflag == 0 && Wflag > 0 && Gflag_count >= Wflag) {
 				(void)fprintf(stderr, "Maximum file limit reached: %d\n",
 				    Wflag);
+				info(1);
 				exit_tcpdump(0);
 				/* NOTREACHED */
 			}