Package: tcpdump Version: 4.99.3-1~bpo11+1.1 Severity: normal Tags: patch upstream
tcpdump: Couldn't change to 'root' uid=0 gid=0: Operation not permitted When working with user namespaces tcpdump fails. Upstream has several open issues and at least one pull request for this since 2019. https://github.com/the-tcpdump-group/tcpdump/pull/812 I've created a debdiff that works with 4.99.0 and 4.99.3 (bullseye and bullseye-backports/testing/unstable) using the upstream PR 2-line patch. $ unshare --user --map-root-user --mount --net # id uid=0(root) gid=0(root) groups=0(root),65534(nogroup) # echo $$ 557221 On host side: $ touch mynetns $ sudo mount --bind /proc/557221/ns/net mynetns $ sudo ip link add outside type veth peer inside netns $HOME/mynetns $ sudo ip link set up dev outside In namespace: # ip link set up dev inside # tcpdump -ni inside tcpdump: Couldn't change to 'tcpdump' uid=109 gid=113: Operation not permitted # tcpdump -Z root -ni inside tcpdump: Couldn't change to 'root' uid=0 gid=0: Operation not permitted # strace tcpdump -Z root -ni inside ... rt_sigprocmask(SIG_BLOCK, [HUP USR1 USR2 PIPE ALRM CHLD TSTP URG VTALRM PROF WINCH IO], [], 8) = 0 futex(0x7f491f1e8a18, FUTEX_WAKE_PRIVATE, 2147483647) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 setgroups(1, [0]) = -1 EPERM (Operation not permitted) write(2, "tcpdump: ", 9tcpdump: ) = 9 write(2, "Couldn't change to 'root' uid=0 "..., 62Couldn't change to 'root' uid=0 gid=0: Operation not permitted) = 62 write(2, "\n", 1 ) = 1 exit_group(1) = ? +++ exited with 1 +++ -- System Information: Debian Release: 11.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.2.11-tj+ (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tcpdump depends on: ii adduser 3.118 ii libc6 2.31-13+deb11u6 ii libpcap0.8 1.10.3-1~bpo11+1 ii libssl1.1 1.1.1n-0+deb11u4 tcpdump recommends no packages. Versions of packages tcpdump suggests: ii apparmor 2.13.6-10 -- no debconf information *** /srv/NAS/Sunny/SourceCode/tcpdump/tcpdump_4.99.0-2+deb11u1.1.debdiff diff -Nru tcpdump-4.99.0/debian/changelog tcpdump-4.99.0/debian/changelog --- tcpdump-4.99.0/debian/changelog 2022-05-22 17:22:50.000000000 +0100 +++ tcpdump-4.99.0/debian/changelog 2023-05-10 06:02:09.000000000 +0100 @@ -1,3 +1,10 @@ +tcpdump (4.99.0-2+deb11u1.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Allow use in namespace; don't call setgroups when already root + + -- Tj <deb...@iam.tj> Wed, 10 May 2023 06:02:09 +0100 + tcpdump (4.99.0-2+deb11u1) bullseye; urgency=medium * Minor AppArmor profile updates (debian/usr.bin.tcpdump): diff -Nru tcpdump-4.99.0/debian/patches/fix-no-call-setgroup-if-already-uid-0.diff tcpdump-4.99.0/debian/patches/fix-no-call-setgroup-if-already-uid-0.diff --- tcpdump-4.99.0/debian/patches/fix-no-call-setgroups-if-already-uid-0.diff 1970-01-01 01:00:00.000000000 +0100 +++ tcpdump-4.99.0/debian/patches/fix-no-call-setgroups-if-already-uid-0.diff 2023-05-10 05:57:38.000000000 +0100 @@ -0,0 +1,16 @@ +Description: Do not setgroup() as root if already root +Forwarded: no +Origin: https://github.com/the-tcpdump-group/tcpdump/pull/812 +diff --git a/tcpdump.c b/tcpdump.c +index b0d3aa5b..b800757e 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -2086,6 +2086,8 @@ main(int argc, char **argv) + /* Run with '-Z root' to restore old behaviour */ + if (!username) + username = WITH_USER; ++ else if(strcmp(username, "root") == 0) ++ username = NULL; + } + #endif + diff -Nru tcpdump-4.99.0/debian/patches/series tcpdump-4.99.0/debian/patches/series --- tcpdump-4.99.0/debian/patches/series 2021-06-20 19:47:15.000000000 +0100 +++ tcpdump-4.99.0/debian/patches/series 2023-05-10 05:18:02.000000000 +0100 @@ -4,3 +4,4 @@ man-section.diff platform-quirks.diff disable-tests.diff +fix-no-call-setgroups-if-already-uid-0.diff
