From: Paul Ferrell <pflarr@sourceforge.net>
Date: Sun, 7 Nov 2010 02:28:10 +0000 (-0700)
Subject: Switch user ID/root directory with -Z before opening savefiles for output.
X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/7d1f7c8db46f87de584bbcdf118d99d02eba57b9

Switch user ID/root directory with -Z before opening savefiles for output.

In addition to Paul's change, I added a comment explaining why we do
this, and explaining that doing so after opening the first savefile
doesn't help with subsequent savefiles, so you'll have to come up with a
better fix if you want the savefiles opened by the original UID or
outside the chroot.

Reviewed-By: Guy Harris <guy@alum.mit.edu>
---

diff --git a/CREDITS b/CREDITS
index 7f9df598..5831a3a7 100644
--- a/CREDITS
+++ b/CREDITS
@@ -138,6 +138,7 @@ Additional people who have contributed patches:
 	Paolo Abeni			<paolo dot abeni at email dot it>
 	Pascal Hennequin 		<pascal dot hennequin at int-evry dot fr>
 	Pasvorn Boonmark		<boonmark at juniper dot net>
+	Paul Ferrell			<pflarr at sourceforge dot net>
 	Paul Mundt			<lethal at linux-sh dot org>
 	Paul S. Traina			<pst at freebsd dot org>
 	Pavlin Radoslavov		<pavlin at icir dot org>
diff --git a/tcpdump.c b/tcpdump.c
index 7eb3d592..a347bc2c 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -1252,6 +1252,30 @@ main(int argc, char **argv)
 		(void)setsignal(SIGHUP, oldhandler);
 #endif /* WIN32 */
 
+#ifndef WIN32
+	/*
+	 * If a user name was specified with "-Z", attempt to switch to
+	 * that user's UID.  This would probably be used with sudo,
+	 * to allow tcpdump to be run in a special restricted
+	 * account (if you just want to allow users to open capture
+	 * devices, and can't just give users that permission,
+	 * you'd make tcpdump set-UID or set-GID).
+	 *
+	 * Tcpdump doesn't necessarily write only to one savefile;
+	 * the general only way to allow a -Z instance to write to
+	 * savefiles as the user under whose UID it's run, rather
+	 * than as the user specified with -Z, would thus be to switch
+	 * to the original user ID before opening a capture file and
+	 * then switch back to the -Z user ID after opening the savefile.
+	 * Switching to the -Z user ID only after opening the first
+	 * savefile doesn't handle the general case.
+	 */
+	if (getuid() == 0 || geteuid() == 0) {
+		if (username || chroot_dir)
+			droproot(username, chroot_dir);
+	}
+#endif /* WIN32 */
+
 	if (pcap_setfilter(pd, &fcode) < 0)
 		error("%s", pcap_geterr(pd));
 	if (WFileName) {
@@ -1305,16 +1329,7 @@ main(int argc, char **argv)
 		callback = print_packet;
 		pcap_userdata = (u_char *)&printinfo;
 	}
-#ifndef WIN32
-	/*
-	 * We cannot do this earlier, because we want to be able to open
-	 * the file (if done) for writing before giving up permissions.
-	 */
-	if (getuid() == 0 || geteuid() == 0) {
-		if (username || chroot_dir)
-			droproot(username, chroot_dir);
-	}
-#endif /* WIN32 */
+
 #ifdef SIGINFO
 	/*
 	 * We can't get statistics when reading from a file rather