laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36867?usp=email )

Change subject: ttcn3-tcpdump-start.sh: Avoid using dumpcap if it has no access to pcap parent dir ......................................................................

ttcn3-tcpdump-start.sh: Avoid using dumpcap if it has no access to pcap parent dir

dumpcap seems to be opening the pcap file it writes to *after* dropping privileges, which means even if running it as root, it will fail to create the pcap file inside a directory where that same user (even if root) doesn't have write+execute permissions.

This is exactly what happens when one tries to run the ttcn3-tcmpdump-start.sh script inside docker with "--cap-add=NET_ADMIN --cap-add=SYS_RESOURCE" and root user, where it then tells dumpcap to write to a volume mounted inside docker which was created by the user outside user, hence with UID=1000 instead of UID=0 inside docker.

Since tcpdump works fine in this setup, simply skip using dumpcap if it would fail to create the pcap file.

Related: OS#6455 Change-Id: If8ea5bb62f4866042761d3e08fe83179bf10c75a --- M ttcn3-tcpdump-start.sh 1 file changed, 30 insertions(+), 1 deletion(-)

Approvals: osmith: Looks good to me, but someone else must approve Jenkins Builder: Verified laforge: Looks good to me, approved

diff --git a/ttcn3-tcpdump-start.sh b/ttcn3-tcpdump-start.sh index 8b75d0e..4068b26 100755 --- a/ttcn3-tcpdump-start.sh +++ b/ttcn3-tcpdump-start.sh @@ -62,7 +62,12 @@ fi

if [ -u $DUMPCAP -o "$CAP_ERR" = "0" ]; then - CMD="$DUMPCAP -q" + # dumpcap, *after dropping permissions*, needs to be able to write to the directory to create the pcap file: + if [ "$(stat -L -c "%u" "$TTCN3_PCAP_PATH")" = "$(id -u)" ] && [ "$(stat -L -c "%A" "$TTCN3_PCAP_PATH" | head -c 4)" = "drwx" ]; then + CMD="$DUMPCAP -q" + else + echo "NOTE: unable to use dumpcap due to missing permissions in $TTCN3_PCAP_PATH" + fi else echo "NOTE: unable to use dumpcap due to missing capabilities or suid bit" fi