Ethereal-users: Re: [Ethereal-users] Give user read-only access to eth0?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 09 Mar 2005 10:11:46 -0800
Jago Pearce wrote:

I'd like to give a user access to sniffing without allowing them to
trash everything.

Is there a better way of doing this?

I'd say "install {Free,Net,Open}BSD or Darwin and give them read-only access to /dev/bpf*", but that's probably not a solution that'd work for you, and it wouldn't give you access to eth0 in any case, as, after doing that, the interface wouldn't be called "eth0", it'd have some other name such as "fxp0" or "en0". :-)

Unfortunately, even if you could arrange that Ethereal, when run by a particular user, had particular capability bits, I don't *think* Linux has separate capability bits for "capture raw packets" and "send raw packets" - I think CAP_NET_RAW gives you both capabilities.

If that's not so, and there are separate bits in newer kernels, and you can arrange that Ethereal, when run by a particular user, has the "capture" capability but not the "send" capability, that might work - but I don't know whether the capability bits are supported to the extent that you can do that.