Login/Register
"tcpdump -w 1.pcap" works, but "tcpdump -C 100 -w 1.pcap" - permission denied
Asked Answered
Solved tcpdumprights
M

3

15

I need to limit file size when I run "tcpdump -w 1.pcap". I try to do this with the key "-C", but when I add it I get error "permission denied". So:

> sudo tcpdump -w 1.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C821 packets captured
847 packets received by filter
24 packets dropped by kernel

But:

> sudo tcpdump -C 100 -w 1.pcap
tcpdump: 1.pcap: Permission denied

I run the command from my home directory and I tried to remove and create the file before running the command with different permissions, finally I have:

-rwxrwxrwx 1 root root 0 Aug  5 10:30 1.pcap

or

-rwxrwxrwx 1 fd8 users 0 Aug  5 10:30 1.pcap

Could you suggest why in the second case I can't write to the file?

Muddleheaded answered 5/8, 2013 at 4:37 Comment(5)
When you executed sudo tcpdump -C 100 -w 1.pcap was 1.pcap already present with ownership as root:root?Bujumbura
@VarunLakkur Since he's running it with sudo, permissions shouldn't matter.Electrodeposit
sudoers configuration can specify particular commands and options allowed while running sudo. Could that be a possibility here?Bujumbura
@VarunLakkur I have full rights according to sudoers. So I don't think that there is problem with file permissions. Often people write that they have troubles with -w at all. They solve this with complie flags of tcpdump such as chroot or suid, but I can't find how to check this on my system...Muddleheaded
I have the problem even when I run it as root (sudo su).Muddleheaded
B
4

I experienced similar problems when I tried to read from file, like

tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'

For me AppArmor caused the problem I had to switch from 'enforcement' mode to 'complain' mode on 'tcpdump'. Run the following command as root:

aa-complain /usr/sbin/tcpdump
Bellied answered 21/8, 2013 at 15:34 Comment(2)
Thank you for your answer! But AppArmor is used for Ubuntu, and I have RHEL on the server. The answer was to use "-Z root" key for tcpdump. But we still don't know why tcpdump behaves thas way because SELinux is turned off on the server.Muddleheaded
It might just be the case of disabling the AppArmor profile (since complain mode can be a security issue) using: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdumpShipyard
F
16

You need to do -Z root. Read the man page:

   -Z     Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user.

          This behavior is enabled by default (-Z tcpdump), and can be disabled by -Z root.
Falsework answered 7/1, 2014 at 1:27 Comment(3)
Yes, I have read the man page, but I still can't understand why "tcpdump -w 1.pcap" works fine without -Z, and "sudo tcpdump -C 100 -w 1.pcap" does not.Muddleheaded
By default, tcpdump in RHEL will "drop privileges" to the tcpdump user when writing the file, meaning that the file gets saved as a non-root user. In RHEL, the user should be "tcpdump". So you can get around the issue by chmod 777 /path/to/logdir/, or even chown tcpdump /path/to/logdir. If your log directory is owned by a specific user, you can use -Z to save files as that user instead, but -Z root lets you write files anywhere.Slovenia
Oh, and "because that's how it works" is a terrible thing to put in a StackOverflow answer. :-)Slovenia
P
8

I experienced similar issues on Ubuntu 12.04 LTS and my case was fixed as below procedures.

sudo apt-get install apparmor-utils

The aa-complain command which referred by user2704275 is included in this package.

If your environment is RedHat/CentOS distro, you can same command by yum.

sudo aa-complain /usr/sbin/tcpdump

This will change AppArmor mode of tcpdump from "enforce" to "complain". You can check AppArmor status in /sys/kernel/security/apparmor/profiles.

Then I can success to get tcpdump with sudo.

After getting tcpdump, for security reason, you might revert apparmor status to previous mode as below command.

sudo aa-enforce /usr/sbin/tcpdump

Regards.

Preconscious answered 1/10, 2013 at 10:47 Comment(0)
B
4

I experienced similar problems when I tried to read from file, like

tcpdump -r example.cap 'icmp[icmptype] = icmp-echo'

For me AppArmor caused the problem I had to switch from 'enforcement' mode to 'complain' mode on 'tcpdump'. Run the following command as root:

aa-complain /usr/sbin/tcpdump
Bellied answered 21/8, 2013 at 15:34 Comment(2)
Thank you for your answer! But AppArmor is used for Ubuntu, and I have RHEL on the server. The answer was to use "-Z root" key for tcpdump. But we still don't know why tcpdump behaves thas way because SELinux is turned off on the server.Muddleheaded
It might just be the case of disabling the AppArmor profile (since complain mode can be a security issue) using: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdumpShipyard

© 2022 - 2024 — McMap. All rights reserved.