Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Mar 2011 17:57:53 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: tcpdump vagaries

On Fri, Mar 11, 2011 at 06:40:31AM -0800, RB wrote:
> As sent to Solar, re-posting as requested to owl-dev.  This particular
> pair of bugs^Wfeatures have had me pulling my hair out for the past
> week.
> 
> ====
> Just wanted to give you a heads up on some poor behavior I've noted in
> Gentoo's packaging of tcpdump that you may have unintentionally run
> into.  I know Owl's recent releases eliminated setXid binaries, so
> your likelihood of hitting these edge cases increases.
> 
> The issues surround using the -G and -C options to split capture files
> at runtime.  When tcpdump is configured with '--with-user=XXX', it
> turns the -Z (drop privileges) option on by default.  The result is
> that the first capture file is created with the privileges and
> ownership of the calling user (often root) but subsequent ones as the
> XXX user.  This stands a high probability of producing subtle (and
> late) failures due to filesystem permissions.

The issue you are talking about is similar to already described one:
https://bugzilla.redhat.com/show_bug.cgi?id=244860

I made a patch to resolve it by dropping privs before opening a savefile:
http://git.altlinux.org/gears/t/t.git?p=tcpdump.git;a=commitdiff;h=3.9.5-alt1-3-gab9c745


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ