help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Running Wireshark as non-root


From: Ludovic Courtès
Subject: Re: Running Wireshark as non-root
Date: Thu, 24 Nov 2016 18:18:57 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hello!

Petter <address@hidden> skribis:

> From what I gather it's not the Wireshark binary that needs a
> permission boost, but the program
> "dumpcap".
>
> The steps I'm trying to follow is along these lines:
> `chmod 750 /usr/bin/dumpcap`
> `chgrp wireshark /usr/bin/dumpcap`
> `setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap`
>
> (Using ~/.guix-profile/bin/dumpcap instead of /usr/bin/dumpcap)
>
> This fails immediately because the store is mounted Read-Only.

Right.  Linux “capabilities” are not supported in the store, so a
different mechanism is needed.

Since network interfaces do not have an entry in the file system, I
think we’re left with sudo and setuid.

That is, if you’re on GuixSD, and if you want to allow all the users on
that machine to use Wireshark, you can add it to the ‘setuid-programs’
field of the configuration, which will make it setuid-root (beware!).

Otherwise, if it’s a single-user machine, I’d recommend
“sudo wireshark”.

> Also, I'm thinking it would make sense that Wireshark/Dumpcap where
> installed with a non-root
> group and the necessary capabilities to run as a non-root user. So,
> users would just install and
> add themselves to the correct group and be off sniffing packets.

Storing capabilities or setuid bits in the store would break the whole
security model: anyone could populate the store with software that
chooses its privileges, and you wouldn’t have a say.

HTH!

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]