Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 176391

Summary: net-analyzer/tcpdump - drop privileges by default at compile time
Product: Gentoo Linux Reporter: Jukka Ruohonen <drear>
Component: New packagesAssignee: Gentoo Netmon project <netmon>
Severity: enhancement CC: drear, rane
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Jukka Ruohonen 2007-04-28 19:01:05 UTC
Like the man-page of tcpdump says, the option -Z (drop privileges from root to an user) can be enabled by default at compile time (by --with-user=USERNAME).

This is a request to make that behavior to be enabled by default. 

This request fits to any reasonable security-related policy. But if there is some specific reason not to follow this practice (i.e. this will probably mean an addition of tcpdump-user or usage of some existing default user account?), please kindly ignore this request.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2007-04-29 04:49:42 UTC
Jukka, you can use EXTRA_ECONF="--with-user=USERNAME" emerge tcpdump or if you want not to loose this setting on re-emerge save this environment variable in /etc/portage/env/net-analyzer/tcpdump to get desired behaviour.

$ cat /etc/portage/env/net-analyzer/tcpdump

No need to fix anything. :)
Comment 2 Jukka Ruohonen 2007-04-29 06:39:10 UTC
I was completely unaware of such environmental variables, and therefore, thank you.

Can I further confirm that there is generally no aims for such behavior to be enabled by default with potentially risky packages related to network sphere? 

(As tcpdump is just a small example regarding the general question, this seems to be the policy followed by Red Hat, for an instance[1].)

Comment 3 Peter Volkov (RETIRED) gentoo-dev 2007-04-29 11:12:53 UTC
tcpdump is not a server application and is just debugging tool. It could be configured from command line and for build process an easy way to archive goal exist... But well. Let's keep this as an enhancement.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2007-05-05 19:15:44 UTC
I think having this enabled can be useful.
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2007-07-10 13:46:18 UTC
Well. I've commited fix in tcpdump-3.9.6-r1 and tcpdump-3.9.5-r3. Now we create tcpdump user and drop privileges by default.
Comment 6 Jukka Ruohonen 2007-08-27 13:49:18 UTC
I won't reopen this one, but I am nevertheless curious why this feature was removed from the 1.3.7?
Comment 7 C├ędric Krier gentoo-dev 2007-08-27 22:03:14 UTC
I re-enable the feature in cvs in version 3.9.7-r1
Comment 8 dacook 2011-03-11 01:02:29 UTC
Note I've submitted bug 358329 to reverse this choice, or to make it USE configurable, and explain why in that bug.