From owner-svn-ports-head@freebsd.org Sun Jun 17 00:08:23 2018 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 628981003923; Sun, 17 Jun 2018 00:08:23 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 118BB751D1; Sun, 17 Jun 2018 00:08:23 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E81305B0E; Sun, 17 Jun 2018 00:08:22 +0000 (UTC) (envelope-from eadler@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w5H08M7H091900; Sun, 17 Jun 2018 00:08:22 GMT (envelope-from eadler@FreeBSD.org) Received: (from eadler@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w5H08MRD091897; Sun, 17 Jun 2018 00:08:22 GMT (envelope-from eadler@FreeBSD.org) Message-Id: <201806170008.w5H08MRD091897@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: eadler set sender to eadler@FreeBSD.org using -f From: Eitan Adler Date: Sun, 17 Jun 2018 00:08:22 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r472578 - in head: . net/tcpdump X-SVN-Group: ports-head X-SVN-Commit-Author: eadler X-SVN-Commit-Paths: in head: . net/tcpdump X-SVN-Commit-Revision: 472578 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2018 00:08:23 -0000 Author: eadler Date: Sun Jun 17 00:08:22 2018 New Revision: 472578 URL: https://svnweb.freebsd.org/changeset/ports/472578 Log: net/tcpdump: use dedicated user for privsep "nobody" should only be used by NFS and nothing should run as it. Instead give tcpdump a dedicated user. Also note that IPv6 is no longer optional, so just remove the option Approved by: garga (maintainer, older version) Reviewed by: matthew Differential Revision: https://reviews.freebsd.org/D15841 Modified: head/GIDs head/UIDs head/net/tcpdump/Makefile Modified: head/GIDs ============================================================================== --- head/GIDs Sun Jun 17 00:01:55 2018 (r472577) +++ head/GIDs Sun Jun 17 00:08:22 2018 (r472578) @@ -825,7 +825,7 @@ _geodns:*:853: # free: 882 # free: 883 # free: 884 -# free: 885 +tcpdump:*:885: miniflux:*:886: pdagent:*:887: vuls:*:888: Modified: head/UIDs ============================================================================== --- head/UIDs Sun Jun 17 00:01:55 2018 (r472577) +++ head/UIDs Sun Jun 17 00:08:22 2018 (r472578) @@ -831,7 +831,7 @@ archiva:*:871:871::0:0:Apache Archiva Daemon:/nonexist # free: 882 # free: 883 # free: 884 -# free: 885 +tcpdump:*:885:885::0:0:tcpdump user:/nonexistent:/usr/sbin/nologin miniflux:*:886:886::0:0:Miniflux:/nonexistent:/usr/sbin/nologin pdagent:*:887:887::0:0:PagerDuty Agent:/nonexistent:/usr/sbin/nologin vuls:*:888:888::0:0:VULnerability Scanner:/var/db/vuls:/usr/sbin/nologin Modified: head/net/tcpdump/Makefile ============================================================================== --- head/net/tcpdump/Makefile Sun Jun 17 00:01:55 2018 (r472577) +++ head/net/tcpdump/Makefile Sun Jun 17 00:08:22 2018 (r472578) @@ -3,6 +3,7 @@ PORTNAME= tcpdump PORTVERSION= 4.9.2 +PORTREVISION= 1 CATEGORIES= net ipv6 MASTER_SITES= http://www.tcpdump.org/release/ @@ -16,10 +17,10 @@ LIB_DEPENDS= libpcap.so.1:net/libpcap GNU_CONFIGURE= yes USES= gmake -UNPRIV_USER?= nobody +UNPRIV_USER?= tcpdump CHROOTDIR?= /var/run/tcpdump -OPTIONS_DEFINE= CRYPTO IPV6 SMB SMI USER CHROOT +OPTIONS_DEFINE= CRYPTO SMB SMI USER CHROOT OPTIONS_DEFAULT= CRYPTO SMB SMI CRYPTO_DESC= Support IPSEC and TCPMD5 @@ -28,16 +29,16 @@ CRYPTO_DESC= Support IPSEC and TCPMD5 # is not true. It will just not print it if this option is off. SMB_DESC= Support printing SMB information SMI_DESC= Allow MIBs to be loaded on the fly -USER_DESC= Drop privileges to nobody +USER_DESC= Drop privileges to dedicated user CHROOT_DESC= Chroot to /var/run/tcpdump (set CHROOTDIR to change) CRYPTO_USES= ssl CRYPTO_CONFIGURE_WITH= crypto -IPV6_CONFIGURE_ENABLE= ipv6 SMB_CONFIGURE_ENABLE= smb SMI_CONFIGURE_WITH= smi SMI_LIB_DEPENDS= libsmi.so:net-mgmt/libsmi USER_CONFIGURE_ON= --with-user=${UNPRIV_USER} +USER_VARS= USERS=${UNPRIV_USER} GROUPS=${UNPRIV_USER} CHROOT_CONFIGURE_ON= --with-chroot=${CHROOTDIR} PLIST_FILES= sbin/tcpdump \