Using capabilities for libpcap apps

Miroslav Lichvar mlichvar at
Wed Apr 7 10:08:14 UTC 2010

On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
> Hi all,
>   I need few suggestions about this .. 
> .. Gerald 
> Combs, the upstream maintainer of wireshark, suggests to use 
> capabilities instead of consolehelper+root privileges for 
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other 
> apps in Fedora are already using it and I haven't found any. Honestly 
> I'm not sure about right way to use them. The idea is to add something 
> like following to %post
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

This is useful to avoid having setuid binary, but how will regular
users get access to the wireshark group? Maybe through policykit?

Miroslav Lichvar

More information about the devel mailing list