cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

net/tcpdump: use dedicated user for privsep

Browse Source 
"nobody" should only be used by NFS and nothing should run as
it. Instead give tcpdump a dedicated user.

Also note that IPv6 is no longer optional, so just remove the option

Approved by:	garga (maintainer, older version)
Reviewed by:	matthew
Differential Revision:	https://reviews.freebsd.org/D15841
This commit is contained in:
Eitan Adler 2018-06-17 00:08:22 +00:00
parent 933be6c634
commit 6986c79d7a
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=472578
3 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GIDs
View File

@ -825,7 +825,7 @@ _geodns:*:853:
# free: 882
# free: 883
# free: 884
# free: 885
tcpdump:*:885:
miniflux:*:886:
pdagent:*:887:
vuls:*:888:

2
UIDs
View File

@ -831,7 +831,7 @@ archiva:*:871:871::0:0:Apache Archiva Daemon:/nonexistent:/usr/sbin/nologin
# free: 882
# free: 883
# free: 884
# free: 885
tcpdump:*:885:885::0:0:tcpdump user:/nonexistent:/usr/sbin/nologin
miniflux:*:886:886::0:0:Miniflux:/nonexistent:/usr/sbin/nologin
pdagent:*:887:887::0:0:PagerDuty Agent:/nonexistent:/usr/sbin/nologin
vuls:*:888:888::0:0:VULnerability Scanner:/var/db/vuls:/usr/sbin/nologin

9
net/tcpdump/Makefile
View File

@ -3,6 +3,7 @@
PORTNAME= tcpdump
PORTVERSION= 4.9.2
PORTREVISION= 1
CATEGORIES= net ipv6
MASTER_SITES= http://www.tcpdump.org/release/
@ -16,10 +17,10 @@ LIB_DEPENDS= libpcap.so.1:net/libpcap
GNU_CONFIGURE= yes
USES= gmake
UNPRIV_USER?= nobody
UNPRIV_USER?= tcpdump
CHROOTDIR?= /var/run/tcpdump
OPTIONS_DEFINE= CRYPTO IPV6 SMB SMI USER CHROOT
OPTIONS_DEFINE= CRYPTO SMB SMI USER CHROOT
OPTIONS_DEFAULT= CRYPTO SMB SMI
CRYPTO_DESC= Support IPSEC and TCPMD5
@ -28,16 +29,16 @@ CRYPTO_DESC= Support IPSEC and TCPMD5
# is not true. It will just not print it if this option is off.
SMB_DESC= Support printing SMB information
SMI_DESC= Allow MIBs to be loaded on the fly
USER_DESC= Drop privileges to nobody
USER_DESC= Drop privileges to dedicated user
CHROOT_DESC= Chroot to /var/run/tcpdump (set CHROOTDIR to change)
CRYPTO_USES= ssl
CRYPTO_CONFIGURE_WITH= crypto
IPV6_CONFIGURE_ENABLE= ipv6
SMB_CONFIGURE_ENABLE= smb
SMI_CONFIGURE_WITH= smi
SMI_LIB_DEPENDS= libsmi.so:net-mgmt/libsmi
USER_CONFIGURE_ON= --with-user=${UNPRIV_USER}
USER_VARS= USERS=${UNPRIV_USER} GROUPS=${UNPRIV_USER}
CHROOT_CONFIGURE_ON= --with-chroot=${CHROOTDIR}
PLIST_FILES= sbin/tcpdump \