Home / ubuntu / Questions / 1319292
In Process
user1424739
Asked: 2021-02-26 07:10:56 +0800 CST

Why a file generated with sudo is not owned by root?

  • 772

I run the following command in a terminal.

sudo tcpdump -c 2 -w /tmp/z.pcap icmp

Then run the following command in a terminal.

ping 8.8.8.8

The file generated belongs to the user tcpdump instead of root.

$ stat /tmp/z.pcap 
  File: /tmp/z.pcap
  Size: 158             Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 4068722     Links: 1
Access: (0644/-rw-r--r--)  Uid: (  115/ tcpdump)   Gid: (  120/ tcpdump)
Access: 2021-02-25 10:05:52.910772287 -0500
Modify: 2021-02-25 10:06:00.102859691 -0500
Change: 2021-02-25 10:06:00.102859691 -0500
 Birth: 2021-02-25 10:05:52.910772287 -0500

The command tcpdump belongs to the root. Why the file generated does not belong to the root?

$ ls -l $(which tcpdump)
-rwxr-xr-x 1 root root 1261512 2021/01/15-17:41:47 /usr/bin/tcpdump
command-line

2 Answers

  1. See man tcpdump. It's generally good practice to NOT run as root if it's not necessary, so the developers added:

      -Z user
  --relinquish-privileges=user
         If  tcpdump is running as root, after opening the capture device
         or input savefile, change the user ID to user and the  group  ID
         to the primary group of user.

         This  behavior  is  enabled  by default (-Z tcpdump), and can be
         disabled by -Z root.

    In other words: tcpdump, once spawned, does not need to keep root permissions, so it sheds them.

    • 6

  2. Because tcpdump will will spawn a subprocess that is owned by tcpdump:

    $ ps auf | grep [t]cpdump
root       47749  0.0  0.0  16432  7264 pts/1    S+   16:16   0:00  \_ sudo tcpdump -c 2 -w /tmp/z.pcap icmp
tcpdump    47750  0.0  0.0  11084  6252 pts/1    S+   16:16   0:00      \_ tcpdump -c 2 -w /tmp/z.pcap icmp

    It drops privileges as it doesn't need it anymore. Use -Z option to change that behavior. See this answer for details.

    • 2