From 0594fa1ab259c7b906375b88a6243813f463fb01 Mon Sep 17 00:00:00 2001
From: Maria Matejka <mq@ucw.cz>
Date: Sun, 4 Aug 2024 15:36:58 +0200
Subject: [PATCH] Don't touch groups with -Z root.

In single-user namespaces, calling initgroups() is forbidden.
This enables tcpdump to be compiled with forced privilege separation
while keeping the ability to actually run in an isolated environment
where the privilege separation is already done by other means.
---
 tcpdump.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tcpdump.c b/tcpdump.c
index d6b8e600c..53f71ff20 100644
--- a/tcpdump.c
+++ b/tcpdump.c
@@ -724,7 +724,10 @@ droproot(const char *username, const char *chroot_dir)
 				fprintf(stderr, "dropped privs to %s\n", username);
 		}
 #else
-		if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
+
+		if ((pw->pw_gid == 0) && (pw->pw_uid == 0))
+			fprintf(stderr, "requested to not drop privs\n");
+		else if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
 		    setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0)
 			error("Couldn't change to '%.32s' uid=%lu gid=%lu: %s",
 				username,