Public bug reported: Ubuntu applies this patch to the upstream tcpdump: https://git.launchpad.net/ubuntu/+source/tcpdump/tree/debian/patches/drop- privs-after-opening-savefile.diff?h=applied/4.99.1-3ubuntu0.1
Vanilla tcpump drops permissions (droproot) before it creates output files (pcap_dump_open). Ubuntu's tcpdump drops permissions before it creates output files *only if the -C flag is set*, because with -C tcpdump has to create output files later on (after it has dropped privileges), and user want permission errors immediately, not only after the first rotation. In every other case, it creates the output file with full privs, and thus is able to write to locations where it might not to after the drop. Unfortunately the -G (rotate_seconds) flag also causes tcpdump to create output files later on (once per rotation, obviously). If you use -G without -C, Ubuntu's tcpdump creates the first file with full privs, drops the privs, waits until it is time to rotate, and then crashes if the permissions are insufficient. This is very ugly to debug in scenarios where tcpdump is restarted automatically by e.g. systemd, because output files are being created and filled, but a few packets are missing at rotation. The bug is probably quite old and well-known enough that medium articles about it exist (https://medium.com/@a1i/permission-denied-problem-with- tcpdump-rotation-f643a74a4838). I thought it was an upstream issue (https://github.com/the-tcpdump- group/tcpdump/issues/1170#issuecomment-2042530097), but it is not. To fix this issue, you probably (I did not test it) only need to replace ``` if (Cflag && (username || chroot_dir)) ``` with ``` if ((Cflag || Gflag) && (username || chroot_dir)) ``` Release: ``` root@majorpurpose:/tmp/pcaptest# lsb_release -rd Description: Ubuntu 22.04.4 LTS Release: 22.04 ``` Package version: ``` root@majorpurpose:/tmp/pcaptest# apt-cache policy tcpdump tcpdump: Installed: 4.99.1-3ubuntu0.2 Candidate: 4.99.1-3ubuntu0.2 Version table: *** 4.99.1-3ubuntu0.2 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 100 /var/lib/dpkg/status 4.99.1-3build2 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages ``` ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: tcpdump 4.99.1-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-102.112-generic 5.15.148 Uname: Linux 5.15.0-102-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Mon Apr 8 13:09:22 2024 InstallationDate: Installed on 2022-07-08 (639 days ago) InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421) ProcEnviron: TERM=screen PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: tcpdump UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: tcpdump (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060557 Title: drop-privs-after-opening-savefile patch is broken if -G (rotate_seconds) is used To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tcpdump/+bug/2060557/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
