Date: Sun, 17 Jun 2018 00:08:22 +0000 (UTC) From: Eitan Adler <eadler@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r472578 - in head: . net/tcpdump Message-ID: <201806170008.w5H08MRD091897@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eadler Date: Sun Jun 17 00:08:22 2018 New Revision: 472578 URL: https://svnweb.freebsd.org/changeset/ports/472578 Log: net/tcpdump: use dedicated user for privsep "nobody" should only be used by NFS and nothing should run as it. Instead give tcpdump a dedicated user. Also note that IPv6 is no longer optional, so just remove the option Approved by: garga (maintainer, older version) Reviewed by: matthew Differential Revision: https://reviews.freebsd.org/D15841 Modified: head/GIDs head/UIDs head/net/tcpdump/Makefile Modified: head/GIDs ============================================================================== --- head/GIDs Sun Jun 17 00:01:55 2018 (r472577) +++ head/GIDs Sun Jun 17 00:08:22 2018 (r472578) @@ -825,7 +825,7 @@ _geodns:*:853: # free: 882 # free: 883 # free: 884 -# free: 885 +tcpdump:*:885: miniflux:*:886: pdagent:*:887: vuls:*:888: Modified: head/UIDs ============================================================================== --- head/UIDs Sun Jun 17 00:01:55 2018 (r472577) +++ head/UIDs Sun Jun 17 00:08:22 2018 (r472578) @@ -831,7 +831,7 @@ archiva:*:871:871::0:0:Apache Archiva Daemon:/nonexist # free: 882 # free: 883 # free: 884 -# free: 885 +tcpdump:*:885:885::0:0:tcpdump user:/nonexistent:/usr/sbin/nologin miniflux:*:886:886::0:0:Miniflux:/nonexistent:/usr/sbin/nologin pdagent:*:887:887::0:0:PagerDuty Agent:/nonexistent:/usr/sbin/nologin vuls:*:888:888::0:0:VULnerability Scanner:/var/db/vuls:/usr/sbin/nologin Modified: head/net/tcpdump/Makefile ============================================================================== --- head/net/tcpdump/Makefile Sun Jun 17 00:01:55 2018 (r472577) +++ head/net/tcpdump/Makefile Sun Jun 17 00:08:22 2018 (r472578) @@ -3,6 +3,7 @@ PORTNAME= tcpdump PORTVERSION= 4.9.2 +PORTREVISION= 1 CATEGORIES= net ipv6 MASTER_SITES= http://www.tcpdump.org/release/ @@ -16,10 +17,10 @@ LIB_DEPENDS= libpcap.so.1:net/libpcap GNU_CONFIGURE= yes USES= gmake -UNPRIV_USER?= nobody +UNPRIV_USER?= tcpdump CHROOTDIR?= /var/run/tcpdump -OPTIONS_DEFINE= CRYPTO IPV6 SMB SMI USER CHROOT +OPTIONS_DEFINE= CRYPTO SMB SMI USER CHROOT OPTIONS_DEFAULT= CRYPTO SMB SMI CRYPTO_DESC= Support IPSEC and TCPMD5 @@ -28,16 +29,16 @@ CRYPTO_DESC= Support IPSEC and TCPMD5 # is not true. It will just not print it if this option is off. SMB_DESC= Support printing SMB information SMI_DESC= Allow MIBs to be loaded on the fly -USER_DESC= Drop privileges to nobody +USER_DESC= Drop privileges to dedicated user CHROOT_DESC= Chroot to /var/run/tcpdump (set CHROOTDIR to change) CRYPTO_USES= ssl CRYPTO_CONFIGURE_WITH= crypto -IPV6_CONFIGURE_ENABLE= ipv6 SMB_CONFIGURE_ENABLE= smb SMI_CONFIGURE_WITH= smi SMI_LIB_DEPENDS= libsmi.so:net-mgmt/libsmi USER_CONFIGURE_ON= --with-user=${UNPRIV_USER} +USER_VARS= USERS=${UNPRIV_USER} GROUPS=${UNPRIV_USER} CHROOT_CONFIGURE_ON= --with-chroot=${CHROOTDIR} PLIST_FILES= sbin/tcpdump \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806170008.w5H08MRD091897>