Sun Apr 17 11:45:40 2011 UTC ()
Hint from dsl: make sure to have the /etc/protocols file already open
before doing a chroot() if run as root. Easily done by a setprotoent(1)
call. This is a better (less intrusive) fix for PR bin/44721.


(martin)
diff -r1.2 -r1.3 src/external/bsd/tcpdump/dist/tcpdump.c
cvs diff -r1.2 -r1.3 src/external/bsd/tcpdump/dist/tcpdump.c (expand / switch to unified diff)

--- src/external/bsd/tcpdump/dist/tcpdump.c 2010/12/05 05:11:31 1.2
+++ src/external/bsd/tcpdump/dist/tcpdump.c 2011/04/17 11:45:40 1.3
@@ -24,27 +24,27 @@ @@ -24,27 +24,27 @@
24 * Copyright (c) 2001 24 * Copyright (c) 2001
25 * Seth Webster <swebster@sst.ll.mit.edu> 25 * Seth Webster <swebster@sst.ll.mit.edu>
26 */ 26 */
27 27
28#include <sys/cdefs.h> 28#include <sys/cdefs.h>
29#ifndef lint 29#ifndef lint
30#if 0 30#if 0
31static const char copyright[] _U_ = 31static const char copyright[] _U_ =
32 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\ 32 "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 2000\n\
33The Regents of the University of California. All rights reserved.\n"; 33The Regents of the University of California. All rights reserved.\n";
34static const char rcsid[] _U_ = 34static const char rcsid[] _U_ =
35 "@(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.283 2008-09-25 21:45:50 guy Exp (LBL)"; 35 "@(#) Header: /tcpdump/master/tcpdump/tcpdump.c,v 1.283 2008-09-25 21:45:50 guy Exp (LBL)";
36#else 36#else
37__RCSID("$NetBSD: tcpdump.c,v 1.2 2010/12/05 05:11:31 christos Exp $"); 37__RCSID("$NetBSD: tcpdump.c,v 1.3 2011/04/17 11:45:40 martin Exp $");
38#endif 38#endif
39#endif 39#endif
40 40
41/* 41/*
42 * tcpdump - monitor tcp/ip traffic on an ethernet. 42 * tcpdump - monitor tcp/ip traffic on an ethernet.
43 * 43 *
44 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory. 44 * First written in 1987 by Van Jacobson, Lawrence Berkeley Laboratory.
45 * Mercilessly hacked and occasionally improved since then via the 45 * Mercilessly hacked and occasionally improved since then via the
46 * combined efforts of Van, Steve McCanne and Craig Leres of LBL. 46 * combined efforts of Van, Steve McCanne and Craig Leres of LBL.
47 */ 47 */
48 48
49#ifdef HAVE_CONFIG_H 49#ifdef HAVE_CONFIG_H
50#include "config.h" 50#include "config.h"
@@ -459,26 +459,27 @@ show_dlts_and_exit(const char *device, p @@ -459,26 +459,27 @@ show_dlts_and_exit(const char *device, p
459static void 459static void
460droproot(const char *username, const char *chroot_dir) 460droproot(const char *username, const char *chroot_dir)
461{ 461{
462 struct passwd *pw = NULL; 462 struct passwd *pw = NULL;
463 463
464 if (chroot_dir && !username) { 464 if (chroot_dir && !username) {
465 fprintf(stderr, "tcpdump: Chroot without dropping root is insecure\n"); 465 fprintf(stderr, "tcpdump: Chroot without dropping root is insecure\n");
466 exit(1); 466 exit(1);
467 } 467 }
468  468
469 pw = getpwnam(username); 469 pw = getpwnam(username);
470 if (pw) { 470 if (pw) {
471 if (chroot_dir) { 471 if (chroot_dir) {
 472 setprotoent(1);
472 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) { 473 if (chroot(chroot_dir) != 0 || chdir ("/") != 0) {
473 fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n", 474 fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n",
474 chroot_dir, pcap_strerror(errno)); 475 chroot_dir, pcap_strerror(errno));
475 exit(1); 476 exit(1);
476 } 477 }
477 } 478 }
478 if (initgroups(pw->pw_name, pw->pw_gid) != 0 || 479 if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
479 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) { 480 setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
480 fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n", 481 fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
481 username,  482 username,
482 (unsigned long)pw->pw_uid, 483 (unsigned long)pw->pw_uid,
483 (unsigned long)pw->pw_gid, 484 (unsigned long)pw->pw_gid,
484 pcap_strerror(errno)); 485 pcap_strerror(errno));