[S] Change in osmo-ttcn3-hacks[master]: ttcn3-tcpdump-start.sh: Avoid using dumpcap if it has no access to pc...

Fri, 17 May 2024 08:59:36 -0700 

pespin has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36867?usp=email )


Change subject: ttcn3-tcpdump-start.sh: Avoid using dumpcap if it has no access 
to pcap parent dir
......................................................................

ttcn3-tcpdump-start.sh: Avoid using dumpcap if it has no access to pcap parent 
dir

dumpcap seems to be opening the pcap file it writes to *after* dropping
privileges, which means even if running it as root, it will fail to
create the pcap file inside a directory where that same user (even if
root) doesn't have write+execute permissions.

This is exactly what happens when one tries to run the
ttcn3-tcmpdump-start.sh script inside docker with "--cap-add=NET_ADMIN
--cap-add=SYS_RESOURCE" and root user, where it then tells dumpcap to
write to a volume mounted inside docker which was created by the user
outside user, hence with UID=1000 instead of UID=0 inside docker.

Since tcpdump works fine in this setup, simply skip using dumpcap if it
would fail to create the pcap file.

Related: OS#6455
Change-Id: If8ea5bb62f4866042761d3e08fe83179bf10c75a
---
M ttcn3-tcpdump-start.sh
1 file changed, 30 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-ttcn3-hacks 
refs/changes/67/36867/1

diff --git a/ttcn3-tcpdump-start.sh b/ttcn3-tcpdump-start.sh
index 5b6c9ea..7c4b78f 100755
--- a/ttcn3-tcpdump-start.sh
+++ b/ttcn3-tcpdump-start.sh
@@ -62,7 +62,12 @@
     fi

     if [ -u $DUMPCAP -o "$CAP_ERR" = "0" ]; then
-       CMD="$DUMPCAP -q"
+       # dumpcap, *after dropping permissions*, needs to be able to write to 
the directory to create the pcap file:
+       if [ "$(stat -L -c "%u" "$TTCN3_PCAP_PATH")" = "$(id -u)" ] && [ 
"$(stat -L -c "%A" "$TTCN3_PCAP_PATH" | head -c 4)" = "drwx" ]; then
+               CMD="$DUMPCAP -q"
+       else
+               echo "NOTE: unable to use dumpcap due to missing permissions in 
$TTCN3_PCAP_PATH"
+       fi
     else
        echo "NOTE: unable to use dumpcap due to missing capabilities or suid 
bit"
     fi

--
To view, visit https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36867?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-ttcn3-hacks
Gerrit-Branch: master
Gerrit-Change-Id: If8ea5bb62f4866042761d3e08fe83179bf10c75a
Gerrit-Change-Number: 36867
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pes...@sysmocom.de>
Gerrit-MessageType: newchange

Reply via email to