Jeff Morriss
changed
bug 10735
Comment # 8
on bug 10735
from Jeff Morriss
(In reply to Stephen Fisher from comment #4)
> (In reply to yuri from comment #3)
> > Thanks, I didn't think of dumpcap first.
> >
> > On BSD, adding this line to /etc/devfs.rules:
> > add path 'bpf*' mode 0660 group network
> >
> > and placing /usr/local/bin/dumpcap into network and 'setgid' it seems more
> > generic solution?
>
> Yes. There are a couple of configure script options you may want to look at:
>
> --with-dumpcap=GROUP restrict dumpcap to GROUP
> --enable-setuid-install install dumpcap as setuid [default=no]
>
> But there isn't an option to dumpcap as setgid at this time.
Wouldn't it make more sense to not make dumpcap setgid but rather put users who
are allowed to use it in the 'network' group? (Or to do like the Linux distros
do and create a 'wireshark' group and make the bpf devices readable by members
of that group?) That way the admin can still control who can run dumpcap.
dumpcap has the setuid option for systems which don't have capabilities (or bpf
permissions) which allow dumpcap to run without elevated privileges.
You are receiving this mail because:
- You are watching all bug changes.