Expand the setuid text a bit.

svn path=/trunk/; revision=24485

2 files changed, 11 insertions, 2 deletions

diff --git a/INSTALL b/INSTALL
index e0da16ffca..6f40027721 100644
--- a/INSTALL
+++ b/INSTALL
@@ -138,7 +138,13 @@ README.win32 for those instructions.
         use this switch.
 
     --enable-setuid-install
-        Use this switch to install dumpcap as setuid.
+        Wireshark and TShark rely on dumpcap for packet capture. Setting this
+        flag installs dumpcap with setuid root permissions, which lets any user
+        on the system capture live traffic. If this is not desired, you can
+        restrict dumpcap's permissions so that only a single user or group can
+        run it.
+
+        Running Wireshark or TShark as root is not recommended.
 
     --without-pcap
         If you choose to build a packet analyzer that can analyze
diff --git a/doc/README.packaging b/doc/README.packaging
index 7b43e1da26..400b36e6cd 100644
--- a/doc/README.packaging
+++ b/doc/README.packaging
@@ -46,7 +46,10 @@ interfaces: "--enable-setuid-install" and "--with-libcap". Setting
 "--enable-setuid-install" to "yes" will install dumpcap setuid root.
 This is necessary for non-root users to be able to capture on most
 systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
-to access /dev/bpf*. It is disabled by default.
+to access /dev/bpf*. It is disabled by default. Note that enabling this
+allows packet capture for ALL users on your system. If this is not
+desired, you should restrict dumpcap execution to a specific group or
+user.
 
 If the "--with-libcap" option is enabled, dumpcap will try to drop any
 setuid privileges it may have while retaining the CAP_NET_ADMIN and