diff options
| author |   deraadt <deraadt@openbsd.org> | 2016-07-24 22:46:32 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2016-07-24 22:46:32 +0000 |
| commit | dd67b7755e42577c175dbd227baa405747b15cd0 (patch) | |
| tree | ea0f6e9ed83e8b7d648917a65dcdead3b0e0c405 | |
| parent | bump version (diff) | |
| download | wireguard-openbsd-dd67b7755e42577c175dbd227baa405747b15cd0.tar.xz wireguard-openbsd-dd67b7755e42577c175dbd227baa405747b15cd0.zip | |
Split the root vs not-root cases better with regards to chroot setup.
ok kettenis benno tedu canacar
| -rw-r--r-- | usr.sbin/tcpdump/privsep.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/usr.sbin/tcpdump/privsep.c b/usr.sbin/tcpdump/privsep.c index 8bc37b65795..cdc19141dd2 100644 --- a/usr.sbin/tcpdump/privsep.c +++ b/usr.sbin/tcpdump/privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: privsep.c,v 1.41 2016/07/21 07:22:38 deraadt Exp $ */ +/* $OpenBSD: privsep.c,v 1.42 2016/07/24 22:46:32 deraadt Exp $ */ /* * Copyright (c) 2003 Can Erkin Acar @@ -164,26 +164,29 @@ priv_init(int argc, char **argv) sigprocmask(SIG_SETMASK, &oset, NULL); /* - * Parent, attempt to drop privs and chroot. If any of this - * fails that is OK, safety is still provided by pledge(2). + * If run as regular user, packet parser will rely on + * pledge(2). If we are root, we want to chroot also.. */ + if (getuid() != 0) + return (0); + pw = getpwnam("_tcpdump"); if (pw == NULL) - return (0); + errx(1, "unknown user _tcpdump"); /* Attempt to chroot */ if (chroot(pw->pw_dir) == -1) - return (0); + errx(1, "unable to chroot"); if (chdir("/") == -1) - return (0); + err(1, "unable to chdir"); /* drop to _tcpdump */ if (setgroups(1, &pw->pw_gid) == -1) - return (0); + err(1, "setgroups() failed"); if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) - return (0); + err(1, "setresgid() failed"); if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1) - return (0); + err(1, "setresuid() failed"); return (0); } |