aboutsummaryrefslogtreecommitdiffstats
path: root/doc/README.packaging
diff options
context:
space:
mode:
authorGerald Combs <gerald@wireshark.org>2010-04-08 00:02:29 +0000
committerGerald Combs <gerald@wireshark.org>2010-04-08 00:02:29 +0000
commit1426281ebdeb10aa8d39c7a0a83edfa87abf62f0 (patch)
tree35c497ed43c5e1fc937e3f8b3be6700a618072a6 /doc/README.packaging
parentf307dd5a31497fca3338f4965e51a0c168b200ab (diff)
Add --enable-setcap-install and --with-dumpcap-group.
svn path=/trunk/; revision=32421
Diffstat (limited to 'doc/README.packaging')
-rw-r--r--doc/README.packaging52
1 files changed, 31 insertions, 21 deletions
diff --git a/doc/README.packaging b/doc/README.packaging
index b3f42e1..b542dfb 100644
--- a/doc/README.packaging
+++ b/doc/README.packaging
@@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap.
WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
THEM AS ROOT.
-There are two configure-time options on non-Windows systems that affect
-the privileges a normal user needs to capture traffic and list
-interfaces: "--enable-setuid-install" and "--with-libcap". Setting
-"--enable-setuid-install" to "yes" will install dumpcap setuid root.
-This is necessary for non-root users to be able to capture on most
-systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
-to access /dev/bpf*. It is disabled by default. Note that enabling this
-allows packet capture for ALL users on your system. If this is not
-desired, you should restrict dumpcap execution to a specific group or
-user.
+Warnings are displayed when Wireshark and TShark are run as root.
+
+There are several configure-time options on non-Windows systems that
+affect the privileges a normal user needs to capture traffic and list
+interfaces:
+
+ --enable-setcap-install Install dumpcap with cap_net_admin and
+ cap_net_raw capabilities. Linux only.
-If the "--with-libcap" option is enabled, dumpcap will try to drop any
-setuid privileges it may have while retaining the CAP_NET_ADMIN and
-CAP_NET_RAW capabilities. It is enabled by default, if the Linux
-capabilities library (on which it depends) is found.
+ --enable-setuid-install Install dumpcap setuid root.
-Warnings are displayed when Wireshark and TShark are run
-as root.
+ --with-libcap If running as root, try to grab
+ CAP_NET_ADMIN and CAP_NET_RAW, then drop
+ privileges. Linux only.
-For Linux systems that have libcap and the "setcap" utility you can
-avoid root altogether:
+ --with-dumpcap-group=... Restricts dumpcap execution to the
+ specified group.
+
+These are necessary for non-root users to be able to capture on most
+systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
+to access /dev/bpf*. Setcap installation is preferred over setuid on
+Linux. If "--enable-setcap-install" is used it will override any setuid
+settings.
+
+The "--with-libcap" option is only useful when dumpcap is installed
+setuid. If it is enabled dumpcap will try to drop any setuid privileges
+it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
+capabilities. It is enabled by default, if the Linux capabilities
+library (on which it depends) is found.
+
+Note that enabling setcap or setuid installation allows packet capture
+for ALL users on your system. If this is not desired, you can restrict
+dumpcap execution to a specific group or user. The following two examples
+show how to restrict access using setcap and setuid respectively:
# groupadd -g packetcapture
# chmod 750 /usr/bin/dumpcap
# chgrp packetcapture /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
-For Linux systems without filesystem capabilities you can limit root
-to dumpcap:
-
# groupadd -g packetcapture
# chgrp packetcapture /usr/bin/dumpcap
# chmod 4750 /usr/bin/dumpcap