[PATCH 2/3] With -C option drop root before opening first savefile.

[Miroslav Lichvar <mlichvar () redhat com>]

This is to avoid having savefiles with different ownership and to avoid
terminating tcpdump with permission denied error when opening second
savefile.
---
 tcpdump.1.in |    4 ++++
 tcpdump.c    |    7 ++++++-
 2 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/tcpdump.1.in b/tcpdump.1.in
index f0f7ce0..86174c2 100644
--- a/tcpdump.1.in
+++ b/tcpdump.1.in
@@ -206,6 +206,10 @@ have the name specified with the
 flag, with a number after it, starting at 1 and continuing upward.
 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
 not 1,048,576 bytes).
+
+Note that when used with
+.B \-Z
+option, privileges are dropped before opening first savefile.
 .TP
 .B \-d
 Dump the compiled packet-matching code in a human readable form to
diff --git a/tcpdump.c b/tcpdump.c
index 26d1d80..e37de80 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -1109,6 +1109,11 @@ main(int argc, char **argv)
                (void)setsignal(SIGHUP, oldhandler);
 #endif /* WIN32 */
 
+       if (Cflag != 0 && (getuid() == 0 || geteuid() == 0)) {
+               if (username || chroot_dir)
+                       droproot(username, chroot_dir);
+       }
+
        if (pcap_setfilter(pd, &fcode) < 0)
                error("%s", pcap_geterr(pd));
        if (WFileName) {
@@ -1157,7 +1162,7 @@ main(int argc, char **argv)
         * We cannot do this earlier, because we want to be able to open
         * the file (if done) for writing before giving up permissions.
         */
-       if (getuid() == 0 || geteuid() == 0) {
+       if (Cflag == 0 && (getuid() == 0 || geteuid() == 0)) {
                if (username || chroot_dir)
                        droproot(username, chroot_dir);
        }
-- 
1.6.2.5

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.