Using capabilities for libpcap apps

Steve Grubb sgrubb at
Thu Apr 8 20:49:59 UTC 2010

On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote:
>   I need few suggestions about this ..
> .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
> Suggestions? Ideas? Spec file patches?

rpm supposedly has native support for capabilities. That would mean that you 
don't need to call setcap.


More information about the devel mailing list