On Sat, Sep 08, 2001 at 02:47:45AM -0400, Publilius Syrus wrote:
> Ethereal installed ok. I start x with xdm. As a regular user, ethereal will
> start (but not listen, lacking sufficient rights).
Note that, on some platforms, it may be possible to allow some users to
capture packets without becoming root. The tcpdump man page discusses
this; the version of the man page in the tcpdump CVS tree gives a more
complete description than earlier versions:
Reading packets from a network interface may require that
you have special privileges:
Under SunOS 3.x or 4.x with NIT or BPF:
You must have read access to /dev/nit or /dev/bpf*.
Under Solaris with DLPI:
You must have read/write access to the network
pseudo device, e.g. /dev/le. On at least some
versions of Solaris, however, this is not suffi-
cient to allow tcpdump to capture in promiscuous
mode; on those versions of Solaris, you must be
root, or tcpdump must be installed setuid to root,
in order to capture in promiscuous mode.
Under HP-UX with DLPI:
You must be root or tcpdump must be installed
setuid to root.
Under IRIX with snoop:
You must be root or tcpdump must be installed
setuid to root.
Under Linux:
You must be root or tcpdump must be installed
setuid to root.
Under Ultrix and Digital UNIX:
Once the super-user has enabled promiscuous-mode
operation using pfconfig(8), any user may capture
network traffic with tcpdump.
Under BSD:
You must have read access to /dev/bpf*.
(The note about Linux isn't, strictly speaking, true - any process with
the CAP_NET_RAW capability can, on systems with 2.2 or later kernels,
capture, even if the effective user-ID isn't root - but I've yet to see
any usermode support for associating capability flags with accounts on
any Linux system, so, in practice, there's no convenient way I've seen
to give a user's processes that capability.)
> But if I su in a terminal
> window, and try to start ethereal, I get a message that connection to 0.0
> refused by server; client not authorized to connect to server; and a gtk
> message cannot open display :0.0
This isn't an Ethereal-specific issue; it's a general issue with X
applications running as root.
> I am not trying to access this server from another machine. Everything is on
> my one machine. I just want to run ethereal from my regular user account. From
> what I can determine, xauth is the culprit,
The access controls done by the X server are the culprit; however...
> and I somehow need to take a MIT-MAGIC-COOKIE and put it somewhere.
...that might not be necessary.
At least for accesses from the local host, if I remember correctly, you
can just do
xhost +local:root
to add the super-user to the list of user IDs allowed to connect to the
X server from the local host.