Package: tcpdump Version: 4.99.3-1 If the binary is built with lipcap-ng, tcpdump fails with "Couldn't change ownership of savefile". If HAVE_LIBCAP_NG is defined, chown is called after CAP_CHOWN capability is dropped. I believe this is caused by the recent patch introduced as part of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935112 : https://salsa.debian.org/rfrancoise/tcpdump/-/blob/master/debian/patches/drop-privs-after-opening-savefile.diff
dget http://deb.debian.org/debian/pool/main/t/tcpdump/tcpdump_4.99.3-1.dsc sudo apt install libcap-ng-dev cd tcpdump-4.99.3 debian/rules build Test: sudo strace -e "capset,capget,chown" /home/ubuntu/c/tcpdump-4.99.3/tcpdump -w /tmp/test.pcap capget({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, NULL) = 0 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=18467}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=18467}, {effective=1<<CAP_DAC_OVERRIDE|1<<CAP_SETGID|1<<CAP_SETUID, permitted=1<<CAP_DAC_OVERRIDE|1<<CAP_SETGID|1<<CAP_SETUID, inheritable=0}) = 0 capget({version=_LINUX_CAPABILITY_VERSION_3, pid=18467}, {effective=1<<CAP_DAC_OVERRIDE|1<<CAP_SETGID|1<<CAP_SETUID, permitted=1<<CAP_DAC_OVERRIDE|1<<CAP_SETGID|1<<CAP_SETUID, inheritable=0}) = 0 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=18467}, {effective=1<<CAP_SETGID|1<<CAP_SETUID, permitted=1<<CAP_SETGID|1<<CAP_SETUID, inheritable=0}) = 0 chown("/tmp/test.pcap", 108, 114) = -1 EPERM (Operation not permitted) tcpdump: Couldn't change ownership of savefile +++ exited with 1 +++
