From d2c7d4e92b665cb6dafe654e51a0b5baa487e6ed Mon Sep 17 00:00:00 2001
From: Paul Ferrell <pflarr@sourceforge.net>
Date: Sat, 6 Nov 2010 19:28:10 -0700
Subject: [PATCH] Switch user ID/root directory with -Z before opening
 savefiles for output.

In addition to Paul's change, I added a comment explaining why we do
this, and explaining that doing so after opening the first savefile
doesn't help with subsequent savefiles, so you'll have to come up with a
better fix if you want the savefiles opened by the original UID or
outside the chroot.

Reviewed-By: Guy Harris <guy@alum.mit.edu>
---
 CREDITS   |  1 +
 tcpdump.c | 35 +++++++++++++++++++++++++----------
 2 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/CREDITS b/CREDITS
index 777682af..427fca54 100644
--- a/CREDITS
+++ b/CREDITS
@@ -140,6 +140,7 @@ Additional people who have contributed patches:
 	Paolo Abeni			<paolo dot abeni at email dot it>
 	Pascal Hennequin 		<pascal dot hennequin at int-evry dot fr>
 	Pasvorn Boonmark		<boonmark at juniper dot net>
+	Paul Ferrell			<pflarr at sourceforge dot net>
 	Paul Mundt			<lethal at linux-sh dot org>
 	Paul S. Traina			<pst at freebsd dot org>
 	Pavlin Radoslavov		<pavlin at icir dot org>
diff --git a/tcpdump.c b/tcpdump.c
index 83bfc806..c8da36ba 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -1258,6 +1258,30 @@ main(int argc, char **argv)
 		(void)setsignal(SIGHUP, oldhandler);
 #endif /* WIN32 */
 
+#ifndef WIN32
+	/*
+	 * If a user name was specified with "-Z", attempt to switch to
+	 * that user's UID.  This would probably be used with sudo,
+	 * to allow tcpdump to be run in a special restricted
+	 * account (if you just want to allow users to open capture
+	 * devices, and can't just give users that permission,
+	 * you'd make tcpdump set-UID or set-GID).
+	 *
+	 * Tcpdump doesn't necessarily write only to one savefile;
+	 * the general only way to allow a -Z instance to write to
+	 * savefiles as the user under whose UID it's run, rather
+	 * than as the user specified with -Z, would thus be to switch
+	 * to the original user ID before opening a capture file and
+	 * then switch back to the -Z user ID after opening the savefile.
+	 * Switching to the -Z user ID only after opening the first
+	 * savefile doesn't handle the general case.
+	 */
+	if (getuid() == 0 || geteuid() == 0) {
+		if (username || chroot_dir)
+			droproot(username, chroot_dir);
+	}
+#endif /* WIN32 */
+
 	if (pcap_setfilter(pd, &fcode) < 0)
 		error("%s", pcap_geterr(pd));
 	if (WFileName) {
@@ -1311,16 +1335,7 @@ main(int argc, char **argv)
 		callback = print_packet;
 		pcap_userdata = (u_char *)&printinfo;
 	}
-#ifndef WIN32
-	/*
-	 * We cannot do this earlier, because we want to be able to open
-	 * the file (if done) for writing before giving up permissions.
-	 */
-	if (getuid() == 0 || geteuid() == 0) {
-		if (username || chroot_dir)
-			droproot(username, chroot_dir);
-	}
-#endif /* WIN32 */
+
 #ifdef SIGINFO
 	/*
 	 * We can't get statistics when reading from a file rather
-- 
2.39.5