Module Name: src
Committed By: jruoho
Date: Fri Dec 17 09:54:28 UTC 2010
Modified Files:
src: UPDATING
src/distrib/sets/lists/base: mi
src/etc: group master.passwd
src/etc/mtree: NetBSD.dist.base special
src/external/bsd/tcpdump/bin: Makefile
src/external/bsd/tcpdump/dist: tcpdump.1.in
src/usr.sbin/tcpdump: Makefile
Log Message:
Make tcpdump(8) to drop root privileges and chroot(2) by default.
To generate a diff of this commit:
cvs rdiff -u -r1.216 -r1.217 src/UPDATING
cvs rdiff -u -r1.907 -r1.908 src/distrib/sets/lists/base/mi
cvs rdiff -u -r1.25 -r1.26 src/etc/group
cvs rdiff -u -r1.42 -r1.43 src/etc/master.passwd
cvs rdiff -u -r1.67 -r1.68 src/etc/mtree/NetBSD.dist.base
cvs rdiff -u -r1.133 -r1.134 src/etc/mtree/special
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/tcpdump/bin/Makefile
cvs rdiff -u -r1.2 -r1.3 src/external/bsd/tcpdump/dist/tcpdump.1.in
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/tcpdump/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/UPDATING
diff -u src/UPDATING:1.216 src/UPDATING:1.217
--- src/UPDATING:1.216 Thu Nov 25 22:08:49 2010
+++ src/UPDATING Fri Dec 17 09:54:27 2010
@@ -1,4 +1,4 @@
-$NetBSD: UPDATING,v 1.216 2010/11/25 22:08:49 christos Exp $
+$NetBSD: UPDATING,v 1.217 2010/12/17 09:54:27 jruoho Exp $
This file (UPDATING) is intended to be a brief reference to recent
changes that might cause problems in the build process, and a guide for
@@ -15,6 +15,11 @@
Recent changes:
^^^^^^^^^^^^^^^
+20101217:
+ The tcpdump(8) program was changed to drop privileges and chroot(2)
+ by default. It may be necessary to manually update passwd(5) and
+ group(5) in order to make the program work with existing setups.
+
20101125:
The latest changes to setenv(3) dissallow setting environment
variables with names that contain '='. Revision 1.18 of env.c
Index: src/distrib/sets/lists/base/mi
diff -u src/distrib/sets/lists/base/mi:1.907 src/distrib/sets/lists/base/mi:1.908
--- src/distrib/sets/lists/base/mi:1.907 Wed Dec 15 18:39:27 2010
+++ src/distrib/sets/lists/base/mi Fri Dec 17 09:54:27 2010
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.907 2010/12/15 18:39:27 pooka Exp $
+# $NetBSD: mi,v 1.908 2010/12/17 09:54:27 jruoho Exp $
#
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
@@ -4806,6 +4806,7 @@
./var/chroot/pfspamd base-obsolete obsolete
./var/chroot/spamd base-obsolete obsolete
./var/chroot/sshd base-sys-root
+./var/chroot/tcpdump base-sys-root
./var/chroot/tftp-proxy base-sys-root
./var/crash base-sys-root
./var/cron base-cron-root
Index: src/etc/group
diff -u src/etc/group:1.25 src/etc/group:1.26
--- src/etc/group:1.25 Sun Nov 7 17:47:47 2010
+++ src/etc/group Fri Dec 17 09:54:27 2010
@@ -22,6 +22,7 @@
_httpd:*:24:
_mdnsd:*:25:
_atf:*:26:
+_tcpdump:*:27:
guest:*:31:root
nobody:*:39:
utmp:*:45:
Index: src/etc/master.passwd
diff -u src/etc/master.passwd:1.42 src/etc/master.passwd:1.43
--- src/etc/master.passwd:1.42 Sun Nov 7 17:47:47 2010
+++ src/etc/master.passwd Fri Dec 17 09:54:27 2010
@@ -16,5 +16,6 @@
_httpd:*:24:24::0:0:& pseudo-user:/var/www:/sbin/nologin
_mdnsd:*:25:25::0:0:& pseudo-user:/nonexistent:/sbin/nologin
_atf:*:26:26::0:0:& pseudo-user:/nonexistent:/sbin/nologin
+_tcpdump:*:27:27::0:0:& pseudo-user:/var/chroot/tcpdump:/sbin/nologin
uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/nonexistent:/sbin/nologin
nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
Index: src/etc/mtree/NetBSD.dist.base
diff -u src/etc/mtree/NetBSD.dist.base:1.67 src/etc/mtree/NetBSD.dist.base:1.68
--- src/etc/mtree/NetBSD.dist.base:1.67 Wed Dec 8 23:56:02 2010
+++ src/etc/mtree/NetBSD.dist.base Fri Dec 17 09:54:28 2010
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.base,v 1.67 2010/12/08 23:56:02 njoly Exp $
+# $NetBSD: NetBSD.dist.base,v 1.68 2010/12/17 09:54:28 jruoho Exp $
# @(#)4.4BSD.dist 8.1 (Berkeley) 6/13/93
# Do not customize this file as it may be overwritten on upgrades.
@@ -1080,6 +1080,7 @@
./var/chroot/ntpd/var/run mode=0775 gname=ntpd
./var/chroot/pflogd mode=0755
./var/chroot/sshd mode=0755
+./var/chroot/tcpdump mode=0755
./var/chroot/tftp-proxy mode=0755
./var/crash mode=0770
./var/cron
Index: src/etc/mtree/special
diff -u src/etc/mtree/special:1.133 src/etc/mtree/special:1.134
--- src/etc/mtree/special:1.133 Tue Aug 24 13:18:04 2010
+++ src/etc/mtree/special Fri Dec 17 09:54:28 2010
@@ -1,4 +1,4 @@
-# $NetBSD: special,v 1.133 2010/08/24 13:18:04 christos Exp $
+# $NetBSD: special,v 1.134 2010/12/17 09:54:28 jruoho Exp $
# @(#)special 8.2 (Berkeley) 1/23/94
#
# This file may be overwritten on upgrades.
@@ -393,6 +393,7 @@
./var/chroot/ntpd/var/run type=dir mode=0775 gname=ntpd
./var/chroot/pflogd type=dir mode=0755
./var/chroot/sshd type=dir mode=0755
+./var/chroot/tcpdump type=dir mode=0755
./var/chroot/tftp-proxy type=dir mode=0755
./var/cron type=dir mode=0755
./var/cron/tabs type=dir mode=0700
Index: src/external/bsd/tcpdump/bin/Makefile
diff -u src/external/bsd/tcpdump/bin/Makefile:1.3 src/external/bsd/tcpdump/bin/Makefile:1.4
--- src/external/bsd/tcpdump/bin/Makefile:1.3 Sun Dec 5 05:52:46 2010
+++ src/external/bsd/tcpdump/bin/Makefile Fri Dec 17 09:54:28 2010
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.3 2010/12/05 05:52:46 christos Exp $
+# $NetBSD: Makefile,v 1.4 2010/12/17 09:54:28 jruoho Exp $
WARNS?= 1 # XXX: need to cleanup later
@@ -64,6 +64,9 @@
CPPFLAGS+=-DHAVE_CONFIG_H -D_U_="__attribute__((__unused__))"
+CPPFLAGS+=-DWITH_USER=\"_tcpdump\"
+CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\"
+
.if (${USE_INET6} != "no")
SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \
print-rt6.c print-ospf6.c print-dhcp6.c
Index: src/external/bsd/tcpdump/dist/tcpdump.1.in
diff -u src/external/bsd/tcpdump/dist/tcpdump.1.in:1.2 src/external/bsd/tcpdump/dist/tcpdump.1.in:1.3
--- src/external/bsd/tcpdump/dist/tcpdump.1.in:1.2 Sun Dec 5 05:11:31 2010
+++ src/external/bsd/tcpdump/dist/tcpdump.1.in Fri Dec 17 09:54:28 2010
@@ -1,6 +1,6 @@
.\" @(#) Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp (LBL)
.\"
-.\" $NetBSD: tcpdump.1.in,v 1.2 2010/12/05 05:11:31 christos Exp $
+.\" $NetBSD: tcpdump.1.in,v 1.3 2010/12/17 09:54:28 jruoho Exp $
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
@@ -620,12 +620,15 @@
and execute the command that you want.
.TP
.B \-Z
-Drops privileges (if root) and changes user ID to
-.I user
-and the group ID to the primary group of
-.IR user .
-.IP
-This behavior can also be enabled by default at compile time.
+By default,
+.I tcpdump
+operates in NetBSD under the privileges of the user ``_tcpdump''.
+Before the user ID and the corresponding primary group ID are changed,
+.I tcpdump
+will change the root directory to \fI/var/chroot/tcpdump\fP.
+By using the option
+.B \-Z
+the real and effective user and group IDs can be changed to ``user'' instead.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
Index: src/usr.sbin/tcpdump/Makefile
diff -u src/usr.sbin/tcpdump/Makefile:1.50 src/usr.sbin/tcpdump/Makefile:1.51
--- src/usr.sbin/tcpdump/Makefile:1.50 Mon Sep 14 10:36:51 2009
+++ src/usr.sbin/tcpdump/Makefile Fri Dec 17 09:54:28 2010
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.50 2009/09/14 10:36:51 degroote Exp $
+# $NetBSD: Makefile,v 1.51 2010/12/17 09:54:28 jruoho Exp $
WARNS?= 1 # XXX: out of date third-party program
@@ -77,6 +77,9 @@
CPPFLAGS+=-DTCPDUMP_DO_SMB=1
CPPFLAGS+=-D_U_="__attribute__((unused))"
+CPPFLAGS+=-DWITH_USER=\"_tcpdump\"
+CPPFLAGS+=-DWITH_CHROOT=\"/var/chroot/tcpdump\"
+
.if (${USE_INET6} != "no")
SRCS+= print-ip6.c print-ip6opts.c print-ripng.c print-icmp6.c print-frag6.c \
print-rt6.c print-ospf6.c print-dhcp6.c
