Menu
▾
▴
#106 Downgrade permissions before opening the first output file.
tcpdump uses it's original permissions to open the output file specified with -w, but only for the first file. This causes the following issues:
1. "tcpdump -w somefile_%T.pcap -Z username" - The file is created with the original permissions of tcpdump (see bug #2109956). The primary reason to run tcpdump at higher privilege levels and then downgrading is the need to deal with interfaces in ways that only root can. Once this is done, it's reasonable to expect that everything else be done as the -Z specified user.
2. "tcpdump -w somefile_%T.pcap -Z username -G 5" - The initial file is created with the original permissions, while the subsequent files are created with the -Z user's permissions.
The source code makes a comment about changing users after we start writing the file to make sure that we can write it. This doesn't solve any problem that users can't trivially solve themselves, and causes unexpected problems that require annoying workarounds.
My attached patch changes tcpdump.c so that permissions are dropped before the first output file is opened. This will cause -Z to have the more predictable behavior of: "Use the original permissions to handle the interfaces, and then switch to -Z <user> for everything else." This may cause problems for some existing users if they are relying on the previous behavior, but the fix for these problems is so trivial I can't bring myself to care.
Discussion
A trivial change
Checked in, with the comment before the code to relinquish privileges expanded to indicate why we do *NOT* wait until after opening the savefile for output to relinquish the privileges, in the hopes that people won't revert this change without at least thinking about it.
I also updated the man page to more completely and correctly describe what -Z does now.
I put the fix into the trunk and 4.1 branches.
Administrators of the "tcpdump" SourceForge project have superseded this tracker item (formerly artifact 3095981, now patch 106) with issue 265 of the "tcpdump" GitHub project.