Page MenuHomeFreeBSD
Differential D15841

Migrate tcpdump to a dedicated user
ClosedPublic
Actions

Authored by eadler on Jun 16 2018, 3:57 AM.
Tags
None
Referenced Files
Unknown Object (File)
Nov 23 2024, 10:03 PM
Unknown Object (File)
Nov 23 2024, 5:04 AM
Unknown Object (File)
Nov 14 2024, 3:54 PM
Unknown Object (File)
Nov 10 2024, 6:51 PM
Unknown Object (File)
Nov 9 2024, 6:48 PM
Unknown Object (File)
Nov 7 2024, 7:29 AM
Unknown Object (File)
Nov 5 2024, 8:39 AM
Unknown Object (File)
Oct 25 2024, 1:38 PM
View All Files
Subscribers
mat
matthew

Details

Reviewers
matthew
Commits
rP472578: net/tcpdump: use dedicated user for privsep
Summary

"nobody" should only be used by NFS and nothing should run as
it. Instead give tcpdump a dedicated user.

(this was already approved by maintainer; phab is for mechanical
correctness)

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

eadler created this revision.Jun 16 2018, 3:57 AM
Herald added a subscriber: mat. · View Herald TranscriptJun 16 2018, 3:57 AM
Harbormaster completed remote builds in B17324: Diff 43862.Jun 16 2018, 3:57 AM
matthew added a subscriber: matthew.Jun 16 2018, 6:46 AM
matthew added a comment.Jun 16 2018, 7:00 AM

This is good, but you need to add the last bit that will create the special user when the package is installed.

You shouldn't create the userid unconditionally for a package where the USER option defaults to off.

USER_VARS= USERS=${UNPRIV_USER} GROUPS=${UNPRIV_USER}

You should update the USER_DESC setting too

matthew added a reviewer: matthew.Jun 16 2018, 7:00 AM
eadler updated this revision to Diff 43922.Jun 16 2018, 7:36 PM

per @matthew

Harbormaster completed remote builds in B17357: Diff 43922.Jun 16 2018, 7:36 PM
matthew added a comment.Jun 16 2018, 8:00 PM

Test builds with the USER option selected are failing when trying to create the tcpdump group due to a malformed GIDs line.
Fixing that locally means everything builds OK, although there is this warning at the end of the configure phase:

...
configure: creating ./config.status
config.status: creating Makefile
config.status: creating tcpdump.1
config.status: creating config.h
config.status: executing default-1 commands
configure: WARNING: unrecognized options: --enable-ipv6

Looks like IPv6 support is no longer optional.

GIDs
828 ↗(On Diff #43922)

You're missing a field here:

tcpdump:*:885

matthew accepted this revision.Jun 16 2018, 8:09 PM

Approved, subject to addressing my latest comments.

This revision is now accepted and ready to land.Jun 16 2018, 8:09 PM
Closed by commit rP472578: net/tcpdump: use dedicated user for privsep (authored by eadler). · Explain WhyJun 17 2018, 12:08 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
2 lines
2 lines
net/
tcpdump/
9 lines

Diff 43927

View Options

head/GIDs

Loading...
View Options

head/UIDs

Loading...
View Options

head/net/tcpdump/Makefile

Loading...