Репозиторий Sisyphus
Последнее обновление: 20 сентября 2019 | Пакетов: 17474 | Посещений: 15135605
en ru br
Репозитории ALT
S:4.9.2-alt1
5.1: 3.9.8-alt1
4.1: 3.9.7-alt1
4.0: 3.9.7-alt1
+updates:3.9.7-alt1
3.0: 3.8.2-alt3
www.altlinux.org/Changes

Группа :: Мониторинг
Пакет: tcpdump

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

Патч: tcpdump-3.9.8-alt1.patch
Скачать


 Makefile.in     |    8 ++++----
 addrtoname.c    |   52 ++++++++++++++++++++++++++++++++++++++++++++++++----
 configure.in    |   16 +++++++++-------
 print-ether.c   |    2 +-
 print-ip6opts.c |    2 +-
 tcpdump.1       |   30 +++++++++++++++++++-----------
 tcpdump.c       |   29 +++++++++++++++++++++++------
 7 files changed, 105 insertions(+), 34 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index dcc8f40..31ae1fe 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -160,13 +160,13 @@ install:
 	[ -d $(DESTDIR)$(sbindir) ] || \
 	    (mkdir -p $(DESTDIR)$(sbindir); chmod 755 $(DESTDIR)$(sbindir))
 	$(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(sbindir)/$(PROG)
-	[ -d $(DESTDIR)$(mandir)/man1 ] || \
-	    (mkdir -p $(DESTDIR)$(mandir)/man1; chmod 755 $(DESTDIR)$(mandir)/man1)
-	$(INSTALL_DATA) $(srcdir)/$(PROG).1 $(DESTDIR)$(mandir)/man1/$(PROG).1
+	[ -d $(DESTDIR)$(mandir)/man8 ] || \
+	    (mkdir -p $(DESTDIR)$(mandir)/man8; chmod 755 $(DESTDIR)$(mandir)/man8)
+	$(INSTALL_DATA) $(srcdir)/$(PROG).1 $(DESTDIR)$(mandir)/man8/$(PROG).8
 
 uninstall:
 	rm -f $(DESTDIR)$(sbindir)/$(PROG)
-	rm -f $(DESTDIR)$(mandir)/man1/$(PROG).1
+	rm -f $(DESTDIR)$(mandir)/man8/$(PROG).8
 
 lint: $(GENSRC)
 	lint -hbxn $(SRC) | \
diff --git a/addrtoname.c b/addrtoname.c
index 53d615f..f7c6a64 100644
--- a/addrtoname.c
+++ b/addrtoname.c
@@ -225,7 +225,6 @@ static u_int32_t f_localnet;
 const char *
 getname(const u_char *ap)
 {
-	register struct hostent *hp;
 	u_int32_t addr;
 	static struct hnamemem *p;		/* static for longjmp() */
 
@@ -247,6 +246,28 @@ getname(const u_char *ap)
 	 */
 	if (!nflag &&
 	    (addr & f_netmask) == f_localnet) {
+#ifdef HAVE_GETNAMEINFO
+		struct sockaddr_in sa;
+		char hbuf[NI_MAXHOST];
+
+		memset(&sa, 0, sizeof (sa));
+		sa.sin_family = AF_INET;
+		sa.sin_addr.s_addr = addr;
+		if (!getnameinfo((struct sockaddr *)&sa, sizeof (sa),
+					hbuf, sizeof (hbuf), NULL, 0, 0)) {
+			if (Nflag) {
+				char *dotp;
+
+				/* Remove domain qualifications */
+				dotp = strchr(hbuf, '.');
+				if (dotp)
+					*dotp = '\0';
+			}
+			p->name = strdup(hbuf);
+			return p->name;
+		}
+#else
+		register struct hostent *hp;
 		hp = gethostbyaddr((char *)&addr, 4, AF_INET);
 		if (hp) {
 			char *dotp;
@@ -260,6 +281,7 @@ getname(const u_char *ap)
 			}
 			return (p->name);
 		}
+#endif
 	}
 	p->name = strdup(intoa(addr));
 	return (p->name);
@@ -273,7 +295,6 @@ getname(const u_char *ap)
 const char *
 getname6(const u_char *ap)
 {
-	register struct hostent *hp;
 	struct in6_addr addr;
 	static struct h6namemem *p;		/* static for longjmp() */
 	register const char *cp;
@@ -292,6 +313,28 @@ getname6(const u_char *ap)
 	 * Do not print names if -n was given.
 	 */
 	if (!nflag) {
+#ifdef HAVE_GETNAMEINFO
+		struct sockaddr_in6 sa;
+		char hbuf[NI_MAXHOST];
+
+		memset(&sa, 0, sizeof (sa));
+		sa.sin6_family = AF_INET6;
+		sa.sin6_addr = addr;
+		if (!getnameinfo((struct sockaddr *)&sa, sizeof (sa),
+					hbuf, sizeof (hbuf), NULL, 0, 0)) {
+			if (Nflag) {
+				char *dotp;
+
+				/* Remove domain qualifications */
+				dotp = strchr(hbuf, '.');
+				if (dotp)
+					*dotp = '\0';
+			}
+			p->name = strdup(hbuf);
+			return p->name;
+		}
+#else
+		register struct hostent *hp;
 		hp = gethostbyaddr((char *)&addr, sizeof(addr), AF_INET6);
 		if (hp) {
 			char *dotp;
@@ -305,6 +348,7 @@ getname6(const u_char *ap)
 			}
 			return (p->name);
 		}
+#endif
 	}
 	cp = inet_ntop(AF_INET6, &addr, ntop_buf, sizeof(ntop_buf));
 	p->name = strdup(cp);
@@ -704,7 +748,7 @@ init_servarray(void)
 
 		while (table->name)
 			table = table->nxt;
-		if (nflag) {
+		if (nflag > 1) {
 			(void)snprintf(buf, sizeof(buf), "%d", port);
 			table->name = strdup(buf);
 		} else
@@ -1104,7 +1148,7 @@ init_addrtoname(u_int32_t localnet, u_int32_t mask)
 		f_localnet = localnet;
 		f_netmask = mask;
 	}
-	if (nflag)
+	if (nflag > 1)
 		/*
 		 * Simplest way to suppress names.
 		 */
diff --git a/configure.in b/configure.in
index 5a010e7..b74abe3 100644
--- a/configure.in
+++ b/configure.in
@@ -12,6 +12,8 @@ AC_INIT(tcpdump.c)
 
 AC_CANONICAL_HOST
 
+AC_GNU_SOURCE
+AC_SYS_LARGEFILE
 AC_LBL_C_INIT(V_CCOPT, V_INCLS)
 AC_LBL_C_INLINE
 AC_C___ATTRIBUTE__
@@ -279,7 +281,7 @@ yes
 fi
 
 if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then
-	if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then
+	if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.so; then
 		LIBS="-L$ipv6libdir -l$ipv6lib $LIBS"
 		echo "You have $ipv6lib library, using it"
 	else
@@ -287,7 +289,7 @@ if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then
 			echo "You do not have $ipv6lib library, using libc"
 		else
 			echo 'Fatal: no $ipv6lib library found.  cannot continue.'
-			echo "You need to fetch lib$ipv6lib.a from appropriate"
+			echo "You need to fetch lib$ipv6lib.so from appropriate"
 			echo 'ipv6 kit and compile beforehand.'
 			exit 1
 		fi
@@ -935,10 +937,10 @@ for dir in $Xprefix /usr/${host_alias} /usr /usr/local /usr/local/ssl /usr/pkg;
 	#
 	# Or should we just look for "libcrypto.*"?
 	#
-	if test -d $dir/lib -a \( -f $dir/lib/libcrypto.a -o \
-			          -f $dir/lib/libcrypto.so -o \
+	if test -d $dir/lib -a \( -f $dir/lib/libcrypto.so -o \
 			          -f $dir/lib/libcrypto.sl -o \
-				  -f $dir/lib/libcrypto.dylib \); then
+			          -f $dir/lib/libcrypto.dylib -o \
+				  -f $dir/lib/libcrypto.a \); then
 		ac_cv_ssleay_path=$dir
 	fi
 	if test -d $dir/include/openssl -a -f $dir/include/openssl/des.h; then
@@ -955,10 +957,10 @@ AC_MSG_RESULT($ac_cv_ssleay_path)
 if test "$ac_cv_ssleay_path" != no; then
 	V_INCLS="$V_INCLS $incdir"
 	LDFLAGS="-L$dir/lib $LDFLAGS"
-	if test -f $ac_cv_ssleay_path/lib/libRSAglue.a; then
+	if test -f $ac_cv_ssleay_path/lib/libRSAglue.so; then
 		LIBS="$LIBS -lRSAglue"
 	fi
-	if test -f $ac_cv_ssleay_path/lib/librsaref.a; then
+	if test -f $ac_cv_ssleay_path/lib/librsaref.so; then
 		LIBS="$LIBS -lrsaref"
 	fi
 	AC_CHECK_LIB(crypto, DES_cbc_encrypt)
diff --git a/print-ether.c b/print-ether.c
index f71a7cc..e0da4ed 100644
--- a/print-ether.c
+++ b/print-ether.c
@@ -220,7 +220,7 @@ ether_encap_print(u_short ether_type, const u_char *p,
 		return (1);
 
 	case ETHERTYPE_8021Q:
-	        if (eflag)
+	        if (!eflag)
 		    printf("vlan %u, p %u%s, ",
 			   ntohs(*(u_int16_t *)p) & 0xfff,
 			   ntohs(*(u_int16_t *)p) >> 13,
diff --git a/print-ip6opts.c b/print-ip6opts.c
index 82163a2..7515199 100644
--- a/print-ip6opts.c
+++ b/print-ip6opts.c
@@ -74,7 +74,7 @@ static void
 ip6_sopt_print(const u_char *bp, int len)
 {
     int i;
-    int optlen;
+    int optlen = 0;
 
     for (i = 0; i < len; i += optlen) {
 	if (bp[i] == IP6OPT_PAD1)
diff --git a/tcpdump.1 b/tcpdump.1
index d13b4de..a0a8a06 100644
--- a/tcpdump.1
+++ b/tcpdump.1
@@ -22,7 +22,7 @@
 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"
-.TH TCPDUMP 1  "18 April 2005"
+.TH TCPDUMP 8  "18 April 2005"
 .SH NAME
 tcpdump \- dump traffic on a network
 .SH SYNOPSIS
@@ -264,6 +264,9 @@ have the name specified with the
 flag, with a number after it, starting at 1 and continuing upward.
 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
 not 1,048,576 bytes).
+
+Note that when used with \fB\-Z\fR option (enabled by default),
+privileges are dropped before opening first savefile.
 .TP
 .B \-d
 Dump the compiled packet-matching code in a human readable form to
@@ -310,7 +313,7 @@ Print the link-level header on each dump line.
 .B \-E
 Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
 are addressed to \fIaddr\fP and contain Security Parameter Index value
-\fIspi\fP. This combination may be repeated with comma or newline seperation.
+\fIspi\fP. This combination may be repeated with comma or newline separation.
 .IP
 Note that setting the secret for IPv4 ESP packets is supported at this time.
 .IP
@@ -326,7 +329,7 @@ The ability to decrypt packets is only present if \fItcpdump\fP was compiled
 with cryptography enabled.
 .IP
 \fIsecret\fP is the ASCII text for ESP secret key. 
-If preceeded by 0x, then a hex value will be read.
+If preceded by 0x, then a hex value will be read.
 .IP
 The option assumes RFC2406 ESP, not RFC1827 ESP.
 The option is only for debugging purposes, and
@@ -400,7 +403,11 @@ Use \fIsecret\fP as a shared secret for validating the digests found in
 TCP segments with the TCP-MD5 option (RFC 2385), if present.
 .TP
 .B \-n
-Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
+Don't convert host addresses to names.  This can be used to avoid
+DNS lookups.
+.TP
+.B \-nn
+Don't convert protocol and port numbers etc. to names either.
 .TP
 .B \-N
 Don't print domain name qualification of host names.
@@ -588,7 +595,8 @@ Drops privileges (if root) and changes user ID to
 and the group ID to the primary group of
 .IR user .
 .IP
-This behavior can also be enabled by default at compile time.
+This behavior is enabled by default (\fB\-Z tcpdump\fR),
+and can be disabled by \fB\-Z root\fR.
 .IP "\fI expression\fP"
 .RS
 selects which packets will be dumped.
@@ -727,7 +735,7 @@ be checked for a match.
 True if the Ethernet destination address is \fIehost\fP.
 \fIEhost\fP
 may be either a name from /etc/ethers or a number (see
-.IR ethers (3N)
+.IR ethers (5)
 for numeric format).
 .IP "\fBether src \fIehost\fP
 True if the Ethernet source address is \fIehost\fP.
@@ -781,9 +789,9 @@ May be qualified with \fBsrc\fR or \fBdst\fR.
 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
 destination port value of \fIport\fP.
 The \fIport\fP can be a number or a name used in /etc/services (see
-.IR tcp (4P)
+.IR tcp (7)
 and
-.IR udp (4P)).
+.IR udp (7)).
 If a name is used, both the port
 number and protocol are checked.
 If a number or ambiguous name is used,
@@ -974,7 +982,7 @@ True if the packet was logged as matching the specified PF rule number
 (applies only to packets logged by OpenBSD's
 .BR pf (4)).
 .IP "\fBrulenum \fInum\fR"
-Synonomous with the
+Synonymous with the
 .B rnr
 modifier.
 .IP "\fBreason \fIcode\fR"
@@ -994,7 +1002,7 @@ True if the packet was logged as matching the specified PF ruleset
 name of an anchored ruleset (applies only to packets logged by
 .BR pf (4)).
 .IP "\fBruleset \fIname\fR"
-Synonomous with the
+Synonymous with the
 .B rset
 modifier.
 .IP "\fBsrnr \fInum\fR"
@@ -1002,7 +1010,7 @@ True if the packet was logged as matching the specified PF rule number
 of an anchored ruleset (applies only to packets logged by
 .BR pf (4)).
 .IP "\fBsubrulenum \fInum\fR"
-Synonomous with the
+Synonymous with the
 .B srnr
 modifier.
 .IP "\fBaction \fIact\fR"
diff --git a/tcpdump.c b/tcpdump.c
index caf419e..ca16cd6 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -380,19 +380,28 @@ droproot(const char *username, const char *chroot_dir)
 	
 	pw = getpwnam(username);
 	if (pw) {
+		uid_t uid = pw->pw_uid;
+		gid_t gid = pw->pw_gid;
+
+		if (initgroups(pw->pw_name, gid) != 0) {
+			fprintf(stderr,
+				"tcpdump: Couldn't initialize the supplementary group list: %s\n",
+				pcap_strerror(errno));
+			exit(1);
+		}
+		endpwent();
 		if (chroot_dir) {
-			if (chroot(chroot_dir) != 0 || chdir ("/") != 0) {
+			if (chdir(chroot_dir) != 0 || chroot(".") != 0) {
 				fprintf(stderr, "tcpdump: Couldn't chroot/chdir to '%.64s': %s\n",
 				    chroot_dir, pcap_strerror(errno));
 				exit(1);
 			}
 		}
-		if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
-		    setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) {
+		if (setgid(gid) != 0 || setuid(uid) != 0) {
 			fprintf(stderr, "tcpdump: Couldn't change to '%.32s' uid=%lu gid=%lu: %s\n",
 			    username, 
-			    (unsigned long)pw->pw_uid,
-			    (unsigned long)pw->pw_gid,
+			    (unsigned long)uid,
+			    (unsigned long)gid,
 			    pcap_strerror(errno));
 			exit(1);
 		}
@@ -956,6 +965,10 @@ main(int argc, char **argv)
 #ifndef WIN32	
 	if ((oldhandler = setsignal(SIGHUP, cleanup)) != SIG_DFL)
 		(void)setsignal(SIGHUP, oldhandler);
+	if (Cflag && (getuid() == 0 || geteuid() == 0)) {
+		if (username || chroot_dir)
+			droproot(username, chroot_dir);
+	}
 #endif /* WIN32 */
 
 	if (pcap_setfilter(pd, &fcode) < 0)
@@ -976,6 +989,10 @@ main(int argc, char **argv)
 			dumpinfo.pd = pd;
 			dumpinfo.p = p;
 			pcap_userdata = (u_char *)&dumpinfo;
+			if (chroot_dir) {
+				warning("chroot to %s disabled", chroot_dir);
+				chroot_dir = NULL;
+			}
 		} else {
 			callback = dump_packet;
 			pcap_userdata = (u_char *)p;
@@ -999,7 +1016,7 @@ main(int argc, char **argv)
 	 * We cannot do this earlier, because we want to be able to open
 	 * the file (if done) for writing before giving up permissions.
 	 */
-	if (getuid() == 0 || geteuid() == 0) {
+	if (!Cflag && (getuid() == 0 || geteuid() == 0)) {
 		if (username || chroot_dir)
 			droproot(username, chroot_dir);
 	}
 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin