Ubuntu
tcpdump package

drop-privs-after-opening-savefile patch is broken if -G (rotate_seconds) is used

Bug #2060557 reported by Benedikt Radtke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tcpdump (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu applies this patch to the upstream tcpdump: https://git.launchpad.net/ubuntu/+source/tcpdump/tree/debian/patches/drop-privs-after-opening-savefile.diff?h=applied/4.99.1-3ubuntu0.1

Vanilla tcpump drops permissions (droproot) before it creates output files (pcap_dump_open).

Ubuntu's tcpdump drops permissions before it creates output files *only if the -C flag is set*, because with -C tcpdump has to create output files later on (after it has dropped privileges), and user want permission errors immediately, not only after the first rotation. In every other case, it creates the output file with full privs, and thus is able to write to locations where it might not to after the drop.

Unfortunately the -G (rotate_seconds) flag also causes tcpdump to create output files later on (once per rotation, obviously). If you use -G without -C, Ubuntu's tcpdump creates the first file with full privs, drops the privs, waits until it is time to rotate, and then crashes if the permissions are insufficient. This is very ugly to debug in scenarios where tcpdump is restarted automatically by e.g. systemd, because output files are being created and filled, but a few packets are missing at rotation.

The bug is probably quite old and well-known enough that medium articles about it exist (https://medium.com/@a1i/permission-denied-problem-with-tcpdump-rotation-f643a74a4838). I thought it was an upstream issue (https://github.com/the-tcpdump-group/tcpdump/issues/1170#issuecomment-2042530097), but it is not.

To fix this issue, you probably (I did not test it) only need to replace
```
if (Cflag && (username || chroot_dir))
```
with
```
if ((Cflag || Gflag) && (username || chroot_dir))
```

Release:
```
root@majorpurpose:/tmp/pcaptest# lsb_release -rd
Description: Ubuntu 22.04.4 LTS
Release: 22.04
```

Package version:
```
root@majorpurpose:/tmp/pcaptest# apt-cache policy tcpdump
tcpdump:
  Installed: 4.99.1-3ubuntu0.2
  Candidate: 4.99.1-3ubuntu0.2
  Version table:
 *** 4.99.1-3ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.99.1-3build2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
```

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: tcpdump 4.99.1-3ubuntu0.2
ProcVersionSignature: Ubuntu 5.15.0-102.112-generic 5.15.148
Uname: Linux 5.15.0-102-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Mon Apr 8 13:09:22 2024
InstallationDate: Installed on 2022-07-08 (639 days ago)
InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421)
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: tcpdump
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Benedikt Radtke (trolldemorted) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.