Using capabilities for libpcap apps
Colin Walters
walters at verbum.org
Wed Apr 7 14:00:50 UTC 2010
2010/4/6 Radek Vokál <radekvokal at gmail.com>:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark.
Using PolicyKit instead of hardcoding a Unix group gives a lot more
flexibility to system administrators. For example, in Fedora we
could interactively prompt for the root password by default. Or we
could default to allowing "console users" auth. Or require the user's
password. Or in fact, allow it for a given Unix group.
Basically, you already have the privileged component/user session
separation, which is great, so the dumpcap program just needs to be
runnable as a DBus service, it could expose say an API to get a file
descriptor which gives a dump stream for a given interface.
Documentation lives at: http://hal.freedesktop.org/docs/PolicyKit/
More information about the devel
mailing list