Module Name: src Committed By: jruoho Date: Fri Dec 17 09:54:28 UTC 2010
Modified Files: src: UPDATING src/distrib/sets/lists/base: mi src/etc: group master.passwd src/etc/mtree: NetBSD.dist.base special src/external/bsd/tcpdump/bin: Makefile src/external/bsd/tcpdump/dist: tcpdump.1.in src/usr.sbin/tcpdump: Makefile Log Message: Make tcpdump(8) to drop root privileges and chroot(2) by default. To generate a diff of this commit: cvs rdiff -u -r1.216 -r1.217 src/UPDATING cvs rdiff -u -r1.907 -r1.908 src/distrib/sets/lists/base/mi cvs rdiff -u -r1.25 -r1.26 src/etc/group cvs rdiff -u -r1.42 -r1.43 src/etc/master.passwd cvs rdiff -u -r1.67 -r1.68 src/etc/mtree/NetBSD.dist.base cvs rdiff -u -r1.133 -r1.134 src/etc/mtree/special cvs rdiff -u -r1.3 -r1.4 src/external/bsd/tcpdump/bin/Makefile cvs rdiff -u -r1.2 -r1.3 src/external/bsd/tcpdump/dist/tcpdump.1.in cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/tcpdump/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/UPDATING diff -u src/UPDATING:1.216 src/UPDATING:1.217 --- src/UPDATING:1.216 Thu Nov 25 22:08:49 2010 +++ src/UPDATING Fri Dec 17 09:54:27 2010 @@ -1,4 +1,4 @@ -$NetBSD: UPDATING,v 1.216 2010/11/25 22:08:49 christos Exp $ +$NetBSD: UPDATING,v 1.217 2010/12/17 09:54:27 jruoho Exp $ This file (UPDATING) is intended to be a brief reference to recent changes that might cause problems in the build process, and a guide for @@ -15,6 +15,11 @@ Recent changes: ^^^^^^^^^^^^^^^ +20101217: + The tcpdump(8) program was changed to drop privileges and chroot(2) + by default. It may be necessary to manually update passwd(5) and + group(5) in order to make the program work with existing setups. + 20101125: The latest changes to setenv(3) dissallow setting environment variables with names that contain '='. Revision 1.18 of env.c Index: src/distrib/sets/lists/base/mi diff -u src/distrib/sets/lists/base/mi:1.907 src/distrib/sets/lists/base/mi:1.908 --- src/distrib/sets/lists/base/mi:1.907 Wed Dec 15 18:39:27 2010 +++ src/distrib/sets/lists/base/mi Fri Dec 17 09:54:27 2010 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.907 2010/12/15 18:39:27 pooka Exp $ +# $NetBSD: mi,v 1.908 2010/12/17 09:54:27 jruoho Exp $ # # Note: Don't delete entries from here - mark them as "obsolete" instead, # unless otherwise stated below. @@ -4806,6 +4806,7 @@ ./var/chroot/pfspamd base-obsolete obsolete ./var/chroot/spamd base-obsolete obsolete ./var/chroot/sshd base-sys-root +./var/chroot/tcpdump base-sys-root ./var/chroot/tftp-proxy base-sys-root ./var/crash base-sys-root ./var/cron base-cron-root Index: src/etc/group diff -u src/etc/group:1.25 src/etc/group:1.26 --- src/etc/group:1.25 Sun Nov 7 17:47:47 2010 +++ src/etc/group Fri Dec 17 09:54:27 2010 @@ -22,6 +22,7 @@ _httpd:*:24: _mdnsd:*:25: _atf:*:26: +_tcpdump:*:27: guest:*:31:root nobody:*:39: utmp:*:45: Index: src/etc/master.passwd diff -u src/etc/master.passwd:1.42 src/etc/master.passwd:1.43 --- src/etc/master.passwd:1.42 Sun Nov 7 17:47:47 2010 +++ src/etc/master.passwd Fri Dec 17 09:54:27 2010 @@ -16,5 +16,6 @@ _httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin _mdnsd:*:25:25::0:0:& pseudo-user:/nonexistent:/sbin/nologin _atf:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin +_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin Index: src/etc/mtree/NetBSD.dist.base diff -u src/etc/mtree/NetBSD.dist.base:1.67 src/etc/mtree/NetBSD.dist.base:1.68 --- src/etc/mtree/NetBSD.dist.base:1.67 Wed Dec 8 23:56:02 2010 +++ src/etc/mtree/NetBSD.dist.base Fri Dec 17 09:54:28 2010 @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.dist.base,v 1.67 2010/12/08 23:56:02 njoly Exp $ +# $NetBSD: NetBSD.dist.base,v 1.68 2010/12/17 09:54:28 jruoho Exp $ # @(#)4.4BSD.dist 8.1 (Berkeley) 6/13/93 # Do not customize this file as it may be overwritten on upgrades. @@ -1080,6 +1080,7 @@ ./var/chroot/ntpd/var/run mode=0775 gname=ntpd ./var/chroot/pflogd mode=0755 ./var/chroot/sshd mode=0755 +./var/chroot/tcpdump mode=0755 ./var/chroot/tftp-proxy mode=0755 ./var/crash mode=0770 ./var/cron Index: src/etc/mtree/special diff -u src/etc/mtree/special:1.133 src/etc/mtree/special:1.134 --- src/etc/mtree/special:1.133 Tue Aug 24 13:18:04 2010 +++ src/etc/mtree/special Fri Dec 17 09:54:28 2010 @@ -1,4 +1,4 @@ -# $NetBSD: special,v 1.133 2010/08/24 13:18:04 christos Exp $ +# $NetBSD: special,v 1.134 2010/12/17 09:54:28 jruoho Exp $ # @(#)special 8.2 (Berkeley) 1/23/94 # # This file may be overwritten on upgrades. @@ -393,6 +393,7 @@ ./var/chroot/ntpd/var/run type=dir mode=0775 gname=ntpd ./var/chroot/pflogd type=dir mode=0755 ./var/chroot/sshd type=dir mode=0755 +./var/chroot/tcpdump type=dir mode=0755 ./var/chroot/tftp-proxy type=dir mode=0755 ./var/cron type=dir mode=0755 ./var/cron/tabs type=dir mode=0700 Index: src/external/bsd/tcpdump/bin/Makefile diff -u src/external/bsd/tcpdump/bin/Makefile:1.3 src/external/bsd/tcpdump/bin/Makefile:1.4 --- src/external/bsd/tcpdump/bin/Makefile:1.3 Sun Dec 5 05:52:46 2010 +++ src/external/bsd/tcpdump/bin/Makefile Fri Dec 17 09:54:28 2010 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.3 2010/12/05 05:52:46 christos Exp $ +# $NetBSD: Makefile,v 1.4 2010/12/17 09:54:28 jruoho Exp $ WARNS?= 1 # XXX: need to cleanup later @@ -64,6 +64,9 @@ CPPFLAGS+=-DHAVE_CONFIG_H -D_U_="__attribute__((__unused__))" +CPPFLAGS+=-DWITH_USER=\"_tcpdump\" +CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\" + .if (${USE_INET6} != "no") SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \ print-rt6.c print-ospf6.c print-dhcp6.c Index: src/external/bsd/tcpdump/dist/tcpdump.1.in diff -u src/external/bsd/tcpdump/dist/tcpdump.1.in:1.2 src/external/bsd/tcpdump/dist/tcpdump.1.in:1.3 --- src/external/bsd/tcpdump/dist/tcpdump.1.in:1.2 Sun Dec 5 05:11:31 2010 +++ src/external/bsd/tcpdump/dist/tcpdump.1.in Fri Dec 17 09:54:28 2010 @@ -1,6 +1,6 @@ .\" @(#) Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp (LBL) .\" -.\" $NetBSD: tcpdump.1.in,v 1.2 2010/12/05 05:11:31 christos Exp $ +.\" $NetBSD: tcpdump.1.in,v 1.3 2010/12/17 09:54:28 jruoho Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 .\" The Regents of the University of California. All rights reserved. @@ -620,12 +620,15 @@ and execute the command that you want. .TP .B \-Z -Drops privileges (if root) and changes user ID to -.I user -and the group ID to the primary group of -.IR user . -.IP -This behavior can also be enabled by default at compile time. +By default, +.I tcpdump +operates in NetBSD under the privileges of the user ``_tcpdump''. +Before the user ID and the corresponding primary group ID are changed, +.I tcpdump +will change the root directory to \fI/var/chroot/tcpdump\fP. +By using the option +.B \-Z +the real and effective user and group IDs can be changed to ``user'' instead. .IP "\fI expression\fP" .RS selects which packets will be dumped. Index: src/usr.sbin/tcpdump/Makefile diff -u src/usr.sbin/tcpdump/Makefile:1.50 src/usr.sbin/tcpdump/Makefile:1.51 --- src/usr.sbin/tcpdump/Makefile:1.50 Mon Sep 14 10:36:51 2009 +++ src/usr.sbin/tcpdump/Makefile Fri Dec 17 09:54:28 2010 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.50 2009/09/14 10:36:51 degroote Exp $ +# $NetBSD: Makefile,v 1.51 2010/12/17 09:54:28 jruoho Exp $ WARNS?= 1 # XXX: out of date third-party program @@ -77,6 +77,9 @@ CPPFLAGS+=-DTCPDUMP_DO_SMB=1 CPPFLAGS+=-D_U_="__attribute__((unused))" +CPPFLAGS+=-DWITH_USER=\"_tcpdump\" +CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\" + .if (${USE_INET6} != "no") SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \ print-rt6.c print-ospf6.c print-dhcp6.c