Using capabilities for libpcap apps

Dan Horák dan at
Wed Apr 7 06:31:44 UTC 2010

Radek Vokál píše v Út 06. 04. 2010 v 22:47 +0200: 
> Hi all,
>   I need few suggestions about this .. 
> .. Gerald 
> Combs, the upstream maintainer of wireshark, suggests to use 
> capabilities instead of consolehelper+root privileges for 
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other 
> apps in Fedora are already using it and I haven't found any. Honestly 
> I'm not sure about right way to use them. The idea is to add something 
> like following to %post
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap

for creating the group you should use the standard scriptlet from and set the
group via %attr in %files

> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

I would add this commands to %post too


More information about the devel mailing list