forked from osmocom/wireshark
On UNIX, give up set-UID and set-GID privileges before opening capture
files and immediately after opening capture devices, so we run without privileges as much as possible. svn path=/trunk/; revision=8837
This commit is contained in:
parent
deff880da1
commit
b350eb28d3
32
tethereal.c
32
tethereal.c
|
@ -1,6 +1,6 @@
|
|||
/* tethereal.c
|
||||
*
|
||||
* $Id: tethereal.c,v 1.202 2003/10/10 21:13:21 guy Exp $
|
||||
* $Id: tethereal.c,v 1.203 2003/10/30 19:56:47 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -1354,6 +1354,20 @@ main(int argc, char *argv[])
|
|||
}
|
||||
cfile.rfcode = rfcode;
|
||||
if (cf_name) {
|
||||
/*
|
||||
* We're reading a capture file.
|
||||
*/
|
||||
|
||||
#ifndef _WIN32
|
||||
/*
|
||||
* Immediately relinquish any set-UID or set-GID privileges we have;
|
||||
* we must not be allowed to read any capture files the user running
|
||||
* Tethereal can't open.
|
||||
*/
|
||||
setuid(getuid());
|
||||
setgid(getgid());
|
||||
#endif
|
||||
|
||||
err = cf_open(cf_name, FALSE, &cfile);
|
||||
if (err != 0) {
|
||||
epan_cleanup();
|
||||
|
@ -1542,6 +1556,22 @@ capture(int out_file_type)
|
|||
#endif
|
||||
}
|
||||
|
||||
#ifndef _WIN32
|
||||
/*
|
||||
* We've opened the capture device, so, if we're set-UID or set-GID,
|
||||
* relinquish those privileges.
|
||||
*
|
||||
* XXX - if we have saved set-user-ID support, we should give up those
|
||||
* privileges immediately, and then reclaim them long enough to get
|
||||
* a list of network interfaces and to open one, and then give them
|
||||
* up again, so that stuff we do while processing the argument list,
|
||||
* reading the user's preferences, etc. is done as the real user and
|
||||
* group, not the effective user and group.
|
||||
*/
|
||||
setuid(getuid());
|
||||
setgid(getgid());
|
||||
#endif
|
||||
|
||||
if (cfile.cfilter && !ld.from_pipe) {
|
||||
/* A capture filter was specified; set it up. */
|
||||
if (pcap_lookupnet(cfile.iface, &netnum, &netmask, lookup_net_err_str) < 0) {
|
||||
|
|
Loading…
Reference in New Issue