Wireshark-dev: Re: [Wireshark-dev] CapturePrivileges not working

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 13 Oct 2014 22:20:58 +0200
On Monday 13 October 2014 11:07:43 Roland Knall wrote:
> No, it's a cmake out-of-tree build. There simply does not seem to be a way
> to set dumpcap correctly. Fun part is, that even dumpcap is set suid, it
> still does not bring any output run by my user with "dumpcap -D".

Well, if the owner of dumpcap is not root, then the suid bit won't make you
root.

> Only "sudo dumpcap -D" lists any interfaces.

`sudo ./dumpcap -D` I guess?

> With ldd the only library used is wsutil (which should not be an issue), and
> there are no residual .lib/lt-* files lying around. But I have also built it
> now with autotools (just to ensure that it is not a cmake-related issue), and
> still it does not work:
> 
> $ getcap dumpcap .libs/lt-dumpcap
> dumpcap = cap_net_admin,cap_net_raw+eip
> .libs/lt-dumpcap = cap_net_admin,cap_net_raw+eip
> $ ls -l dumpcap .libs/lt-dumpcap
> -rwxr-xr-x 1 knallr knallr   9120 Okt 13 11:02 dumpcap
> -rwxr-xr-x 1 knallr knallr 279816 Okt 13 11:03 .libs/lt-dumpcap
> $ ./dumpcap -D
> dumpcap: There are no interfaces on which a capture can be done

I think this should work as lt-dumocao has the right capabilities. What
filesystem is this on? tmpfs does not support filesystem capabilities.

What I generally do when I need to capture something is using the global dumpcap
binary which has the right capabilities. Run the following from the cmake build
dir to replace the built dumpcap with the globally installed dumpcap:

    ln -svf /usr/bin/dumpcap run/dumpcap

-- 
Kind regards,
Peter
https://lekensteyn.nl