Re: tcpdump: drop privileges by default?

To: tech-userlevel%NetBSD.org@localhost
Subject: Re: tcpdump: drop privileges by default?
From: Jukka Ruohonen <jruohonen%iki.fi@localhost>
Date: Thu, 10 Sep 2009 14:54:03 +0300

On Thu, Sep 10, 2009 at 08:25:40AM +0200, Alan Barrett wrote:
> Instead of removing those lines from the man page, please explain what
> the new default is, and how it interacts with the "-Z" option.

The adjusted diff below shortly documents the new behavior.

- Jukka

PS. This would be better off in netbsd-users@, but I've always wondered what
is the logic behind pseudo-users prefixed with an underscore and those
without such prefix?


Index: src/dist/tcpdump/tcpdump.8
===================================================================
RCS file: /cvsroot/src/dist/tcpdump/tcpdump.8,v
retrieving revision 1.16
diff -u -p -r1.16 tcpdump.8
--- src/dist/tcpdump/tcpdump.8  24 Jul 2007 12:41:07 -0000      1.16
+++ src/dist/tcpdump/tcpdump.8  10 Sep 2009 11:27:18 -0000
@@ -590,12 +590,15 @@ Set the data link type to use while capt
 The available data link types may be found using the \-L option.
 .TP
 .B \-Z
-Drops privileges (if root) and changes user ID to
-.I user
-and the group ID to the primary group of
-.IR user .
-.IP
-This behavior can also be enabled by default at compile time.
+By default,
+.I tcpdump
+operates in NetBSD under the privileges of the user ``_tcpdump''.
+Before the user ID and the corresponding primary group ID are changed,
+.I tcpdump
+will change the root directory to \fI/var/chroot/tcpdump\fP.
+By using the option
+.B \-Z
+the real and effective user and group IDs can be changed to ``user'' instead.
 .IP "\fI expression\fP"
 .RS
 selects which packets will be dumped.
Index: src/etc/group
===================================================================
RCS file: /cvsroot/src/etc/group,v
retrieving revision 1.23
diff -u -p -r1.23 group
--- src/etc/group       16 Oct 2007 02:47:14 -0000      1.23
+++ src/etc/group       10 Sep 2009 11:27:19 -0000
@@ -20,6 +20,7 @@ _proxy:*:21:
 _timedc:*:22:
 _sdpd:*:23:
 _httpd:*:24:
+_tcpdump:*:25:
 guest:*:31:root
 nobody:*:39:
 utmp:*:45:
Index: src/etc/master.passwd
===================================================================
RCS file: /cvsroot/src/etc/master.passwd,v
retrieving revision 1.39
diff -u -p -r1.39 master.passwd
--- src/etc/master.passwd       16 Oct 2007 02:47:14 -0000      1.39
+++ src/etc/master.passwd       10 Sep 2009 11:27:19 -0000
@@ -14,5 +14,6 @@ _proxy:*:21:21::0:0:Proxy Services:/none
 _timedc:*:22:22::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _sdpd:*:23:23::0:0:& pseudo-user:/nonexistent:/sbin/nologin
 _httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
+_tcpdump:*:25:25::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
 uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
 nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
Index: src/etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.129
diff -u -p -r1.129 special
--- src/etc/mtree/special       25 Jul 2009 16:20:10 -0000      1.129
+++ src/etc/mtree/special       10 Sep 2009 11:27:21 -0000
@@ -393,6 +393,7 @@
 ./var/chroot/ntpd/var/run      type=dir  mode=0775 gname=ntpd
 ./var/chroot/pflogd            type=dir  mode=0755
 ./var/chroot/sshd              type=dir  mode=0755
+./var/chroot/tcpdump            type=dir  mode=0755
 ./var/chroot/tftp-proxy                type=dir  mode=0755
 ./var/cron                     type=dir  mode=0755
 ./var/cron/tabs                        type=dir  mode=0700
Index: src/usr.sbin/tcpdump/Makefile
===================================================================
RCS file: /cvsroot/src/usr.sbin/tcpdump/Makefile,v
retrieving revision 1.49
diff -u -p -r1.49 Makefile
--- src/usr.sbin/tcpdump/Makefile       22 Apr 2009 15:23:09 -0000      1.49
+++ src/usr.sbin/tcpdump/Makefile       10 Sep 2009 11:28:20 -0000
@@ -75,6 +75,9 @@ CPPFLAGS+=-DLBL_ALIGN=1
 CPPFLAGS+=-DTCPDUMP_DO_SMB=1
 CPPFLAGS+=-D_U_="__attribute__((unused))"
 
+CPPFLAGS+=-DWITH_USER=\"_tcpdump\"
+CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\"
+
 .if (${USE_INET6} != "no")
 SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \
        print-rt6.c print-ospf6.c print-dhcp6.c

Follow-Ups:
- Re: tcpdump: drop privileges by default?
  - From: Antti Kantee

References:
- tcpdump: drop privileges by default?
  - From: Jukka Ruohonen
- Re: tcpdump: drop privileges by default?
  - From: Alan Barrett

Prev by Date: Re: tcpdump: drop privileges by default?
Next by Date: Re: tcpdump: drop privileges by default?
Previous by Thread: Re: tcpdump: drop privileges by default?
Next by Thread: Re: tcpdump: drop privileges by default?
Indexes:

Home | Main Index | Thread Index | Old Index