Using capabilities for libpcap apps
Serge E. Hallyn
serue at us.ibm.com
Wed Apr 7 13:47:43 UTC 2010
Quoting Miroslav Lichvar (mlichvar at redhat.com):
> On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
> > Hi all,
> >
> > I need few suggestions about this ..
> > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> > Combs, the upstream maintainer of wireshark, suggests to use
> > capabilities instead of consolehelper+root privileges for
> > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> > apps in Fedora are already using it and I haven't found any. Honestly
> > I'm not sure about right way to use them. The idea is to add something
> > like following to %post
> >
> > # groupadd -g wireshark
> > # chgrp wireshark /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> This is useful to avoid having setuid binary, but how will regular
> users get access to the wireshark group? Maybe through policykit?
The originally quoted URL also says:
# groupadd -g wireshark
# usermod -a -G wireshark gerald
-serge
More information about the devel
mailing list