tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: tcpdump: drop privileges by default?
On Thu, Sep 10, 2009 at 08:25:40AM +0200, Alan Barrett wrote:
> Instead of removing those lines from the man page, please explain what
> the new default is, and how it interacts with the "-Z" option.
The adjusted diff below shortly documents the new behavior.
- Jukka
PS. This would be better off in netbsd-users@, but I've always wondered what
is the logic behind pseudo-users prefixed with an underscore and those
without such prefix?
Index: src/dist/tcpdump/tcpdump.8
===================================================================
RCS file: /cvsroot/src/dist/tcpdump/tcpdump.8,v
retrieving revision 1.16
diff -u -p -r1.16 tcpdump.8
--- src/dist/tcpdump/tcpdump.8 24 Jul 2007 12:41:07 -0000 1.16
+++ src/dist/tcpdump/tcpdump.8 10 Sep 2009 11:27:18 -0000
@@ -590,12 +590,15 @@ Set the data link type to use while capt
The available data link types may be found using the \-L option.
.TP
.B \-Z
-Drops privileges (if root) and changes user ID to
-.I user
-and the group ID to the primary group of
-.IR user .
-.IP
-This behavior can also be enabled by default at compile time.
+By default,
+.I tcpdump
+operates in NetBSD under the privileges of the user ``_tcpdump''.
+Before the user ID and the corresponding primary group ID are changed,
+.I tcpdump
+will change the root directory to \fI/var/chroot/tcpdump\fP.
+By using the option
+.B \-Z
+the real and effective user and group IDs can be changed to ``user'' instead.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
Index: src/etc/group
===================================================================
RCS file: /cvsroot/src/etc/group,v
retrieving revision 1.23
diff -u -p -r1.23 group
--- src/etc/group 16 Oct 2007 02:47:14 -0000 1.23
+++ src/etc/group 10 Sep 2009 11:27:19 -0000
@@ -20,6 +20,7 @@ _proxy:*:21:
_timedc:*:22:
_sdpd:*:23:
_httpd:*:24:
+_tcpdump:*:25:
guest:*:31:root
nobody:*:39:
utmp:*:45:
Index: src/etc/master.passwd
===================================================================
RCS file: /cvsroot/src/etc/master.passwd,v
retrieving revision 1.39
diff -u -p -r1.39 master.passwd
--- src/etc/master.passwd 16 Oct 2007 02:47:14 -0000 1.39
+++ src/etc/master.passwd 10 Sep 2009 11:27:19 -0000
@@ -14,5 +14,6 @@ _proxy:*:21:21::0:0:Proxy Services:/none
_timedc:*:22:22::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_sdpd:*:23:23::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
+_tcpdump:*:25:25::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
Index: src/etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.129
diff -u -p -r1.129 special
--- src/etc/mtree/special 25 Jul 2009 16:20:10 -0000 1.129
+++ src/etc/mtree/special 10 Sep 2009 11:27:21 -0000
@@ -393,6 +393,7 @@
./var/chroot/ntpd/var/run type=dir mode=0775 gname=ntpd
./var/chroot/pflogd type=dir mode=0755
./var/chroot/sshd type=dir mode=0755
+./var/chroot/tcpdump type=dir mode=0755
./var/chroot/tftp-proxy type=dir mode=0755
./var/cron type=dir mode=0755
./var/cron/tabs type=dir mode=0700
Index: src/usr.sbin/tcpdump/Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/tcpdump/Makefile,v
retrieving revision 1.49
diff -u -p -r1.49 Makefile
--- src/usr.sbin/tcpdump/Makefile 22 Apr 2009 15:23:09 -0000 1.49
+++ src/usr.sbin/tcpdump/Makefile 10 Sep 2009 11:28:20 -0000
@@ -75,6 +75,9 @@ CPPFLAGS+=-DLBL_ALIGN=1
CPPFLAGS+=-DTCPDUMP_DO_SMB=1
CPPFLAGS+=-D_U_="__attribute__((unused))"
+CPPFLAGS+=-DWITH_USER=\"_tcpdump\"
+CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\"
+
.if (${USE_INET6} != "no")
SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \
print-rt6.c print-ospf6.c print-dhcp6.c
Home |
Main Index |
Thread Index |
Old Index