Red Hat Bugzilla – Bug 49635
PATCH: tcpdump to drop root by default
Last modified: 2008-05-01 11:38:00 EDT
Due to security considerations, it might be a good idea drop root
by default as 'pcap' user is being added for arpwatch anyway as "-U user" is rather
clumsy to use.
add autoheader, configure --with-user=pcap and there you go :-)
Naturally requires some basic username hacking in the src.rpm
(potential problem: both arpwatch and tcpdump require pcap user;
solution: make arpwatch require tcpdump >= 3.6.2-7 or the like)
Created attachment 24490 [details]
drop root by default
Question: Why can't we use nobody as a user, or does tcpdump need to write
I think this would break all scripts that have:
tcpdump -w file
cause it is not assured, that user 'pcap' or any other default user has write
access to 'file'.
Or we disable the droproot, if -w is specified.. Comments?
nobody is used for dropping root the most often, so if the uid=nobody is
the damage might spread too far. With pcap, this would probably be more
Writing and reading files work because the patch is made so the dropping of
only done after opening/creating the files.
oops... was, the drop by default ... hmm, not yet :)
No big hurry with this I think.
should be fixed in 3.6.2-10 or newer