NetBSD Problem Report #48005

From www@NetBSD.org  Thu Jul  4 15:25:15 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id AE0BD71873
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  4 Jul 2013 15:25:15 +0000 (UTC)
Message-Id: <20130704152502.888D27187B@mollari.NetBSD.org>
Date: Thu,  4 Jul 2013 15:25:02 +0000 (UTC)
From: joern.clausen@uni-bielefeld.de
Reply-To: joernc@gmail.com
To: gnats-bugs@NetBSD.org
Subject: tcpdump: option -C broken
X-Send-Pr-Version: www-1.0

>Number:         48005
>Category:       bin
>Synopsis:       tcpdump: option -C broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 04 15:30:00 +0000 2013
>Last-Modified:  Tue Jan 29 06:47:04 +0000 2019
>Originator:     Jörn Clausen
>Release:        NetBSD 6.1 (GENERIC) amd64
>Organization:
University of Bielefeld
>Environment:
>Description:
Option "-C" (write chunks) in /usr/sbin/tcpdump is broken:

$ tcpdump -w tcp.dump -C 1
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 65535 bytes
tcpdump: tcp.dump1: Permission denied

after the first chunk has been read. ktruss shows

  1073      1 tcpdump  open("tcp.dump1", 0x601, 0x1b6) Err#13 EACCES


tcpdump 4.4.0 from pkgsrc on the same machine works as expected.
>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Wed, 22 Feb 2017 00:40:27 -0500

 The reason option -C isn't working for you as you'd expect is because
 NetBSD's tcpdump drops privileges and runs chrooted as _tcpdump. So
 after the first output file has been opened, the process no longer has
 the access permissions to open further files.

 That's noted in the man page under the -Z option, though it's actually
 a bit misleading, since the man page first states that privileges are
 dropped before opening any output files, but that's not the case for
 NetBSD. By default you'll end up with the first output file, and then
 output will stop once that file's full, as you've found.

 To work around that, you can run tcpdump with "-Z root", which I just
 tested, and indeed it writes further output files. Though what
 happened for me was it wrote the first file where I specified, and
 then the rest under /var/chroot/tcpdump, since it ends up running in
 the chroot, but with root privileges.

 Dave

From: =?UTF-8?Q?J=c3=b6rn_Clausen?= <joern.clausen@uni-bielefeld.de>
To: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Wed, 22 Feb 2017 13:14:22 +0100

 I didn't expect an answer after all this time :)

 Thanks for the explanation. From my point of view this PR can be closed, 
 but maybe someone wants to fix the documentation?

 -- 
 Jörn Clausen
 Plattformen & Serverdienste
 Hochschulrechenzentrum

 Universität Bielefeld
 Universitätsstraße 25
 33615 Bielefeld
 Telefon: +49 521 106-12601
 E-Mail: joern.clausen@uni-bielefeld.de

 http://www.uni-bielefeld.de/hrz

From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Wed, 22 Feb 2017 22:35:59 -0500

 On Wed, 22 Feb 2017, at 13:14:22 +0100, Jörn Clausen wrote:
 > I didn't expect an answer after all this time :)
 >
 > Thanks for the explanation. From my point of view this PR can be
 > closed, but maybe someone wants to fix the documentation?

 I'll have a go at suggesting some brief additions if no one else gets
 to it first. (There was originally a touch more detail under the -Z
 option that seems pertinent from my perspective which was removed
 during one of the many merges over the years. Also, -C should carry a
 warning.)

 If you're using the pkgsrc version of tcpdump, note that as of today,
 it also enforces dropped privileges.[1] (I think that, too, merits a
 warning in the applicable man page. Also, in my understanding, it will
 still behave differently than the base NetBSD version as concerns
 opening output files.)

 1. http://mail-index.netbsd.org/pkgsrc-changes/2017/02/22/msg153360.html

 Regards,

 Dave

From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Thu, 02 Mar 2017 18:19:45 -0500

 My suggested amendments to the tcpdump man page:

 --- tcpdump.1.in~
 +++ tcpdump.1.in
 @@ -20,7 +20,7 @@
  .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES
 OF
  .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  .\"
 -.TH TCPDUMP 8  "17 September 2015"
 +.TH TCPDUMP 8  "2 March 2017"
  .SH NAME
  tcpdump \- dump traffic on a network
  .SH SYNOPSIS
 @@ -254,6 +254,11 @@
  flag, with a number after it, starting at 1 and continuing upward.
  The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
  not 1,048,576 bytes).
 +.IP
 +Note if this is used in conjunction with the
 +.B \-Z
 +option (the default on NetBSD), the process will likely not have
 +adequate permissions to open subsequent savefiles.
  .TP
  .B \-d
  Dump the compiled packet-matching code in a human readable form to
 @@ -861,15 +866,16 @@
  .PD
  If
  .I tcpdump
 -is running as root, after opening the capture device or input savefile,
 -but before opening any savefiles for output, change the user ID to
 +is running as root, after opening the capture device, input savefile,
 +or initial output savefile, change the user ID to
  .I user
  and the group ID to the primary group of
  .IR user .
  .IP
  This behavior is the default for NetBSD where
  .I tcpdump 
 -runs as the user ``_tcpdump''.
 +runs as the user ``_tcpdump'', with its root directory changed to
 +\fI/var/chroot/tcpdump\fP.
  .IP "\fI expression\fP"
  .RS
  selects which packets will be dumped.

From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Fri, 10 Mar 2017 12:09:56 +0000

 I learned that tcpdump has this option from your bug report and decided
 to modify the pkgsrc package to do the same since it can do it too.
 Thanks for mentioning it.

 I think it's more than worth it, tcpdump recently had the following
 advisory: http://seclists.org/oss-sec/2017/q1/230 (All of them are the
 same error).

From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Wed, 22 Mar 2017 16:02:01 -0400

 >I learned that tcpdump has this option from your bug report and decided
 >to modify the pkgsrc package to do the same since it can do it too.
 >Thanks for mentioning it.
 >
 >I think it's more than worth it, tcpdump recently had the following
 >advisory: http://seclists.org/oss-sec/2017/q1/230 (All of them are the
 >same error).

 Sure, but this change violates "the principle of least surprise", since
 it significantly alters how the software behaves. At the least, the
 pkgsrc version should have a MESSAGE file provided that warns users it
 runs unprivileged by default, since this will break the very
 functionality under discussion in this PR. (And it will still behave
 inconsistently from the native NetBSD version concerning the initial
 output file.)

 It's frustrating that tools like this are altered and then these
 alterations are not fully documented, as is presently the case with
 the native NetBSD version (which opens the initial input file before
 dropping privileges, unlike upstream tcpdump).

 Dave

From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005
Date: Wed, 22 Mar 2017 21:25:22 +0000

 Vanilla tcpdump does this:
 > sudo /usr/pkg/sbin/tcpdump -n -i alc0
 dropped privs to _tcpdump
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on alc0, link-type EN10MB (Ethernet), capture size 262144 bytes

 christos removed the message from netbsd tcpdump.

From: "David H. Gutteridge" <dhgutteridge@sympatico.ca>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/48005 (tcpdump: option -C broken)
Date: Wed, 22 Mar 2017 18:19:41 -0400

 >Vanilla tcpdump does this:
 > > sudo /usr/pkg/sbin/tcpdump -n -i alc0
 > dropped privs to _tcpdump
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol
 decode
 > listening on alc0, link-type EN10MB (Ethernet), capture size 262144
 bytes
 > 
 > christos removed the message from netbsd tcpdump.

 Ah, I stand corrected then, sorry. (I've never used the vanilla tcpdump
 on NetBSD, nor a privilege-separated version on other OSes.) No issue
 with the pkgsrc version.

 Dave

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.