diff options
| -rw-r--r-- | Makefile.am | 14 | ||||
| -rw-r--r-- | configure.in | 58 | ||||
| -rw-r--r-- | doc/README.packaging | 52 |
3 files changed, 99 insertions, 25 deletions
diff --git a/Makefile.am b/Makefile.am index 1ee3d5a748..afd72111a5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -817,12 +817,20 @@ EXTRA_DIST = \ wireshark.desktop \ wka.tmpl -if SETUID_INSTALL install-exec-hook: - -chmod +s $(DESTDIR)$(bindir)/dumpcap +if HAVE_DUMPCAP_GROUP + -chgrp $(DUMPCAP_GROUP) $(DESTDIR)$(bindir)/dumpcap +endif +if SETCAP_INSTALL + -$(SETCAP) cap_net_raw,cap_net_admin+eip $(DESTDIR)$(bindir)/dumpcap + -chmod o-rws $(DESTDIR)$(bindir)/dumpcap else -install-exec-hook: +if SETUID_INSTALL + -chmod o-rws $(DESTDIR)$(bindir)/dumpcap + -chmod +s $(DESTDIR)$(bindir)/dumpcap endif +endif + DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook diff --git a/configure.in b/configure.in index 57f7aa5412..7649afeb67 100644 --- a/configure.in +++ b/configure.in @@ -1251,6 +1251,28 @@ else fi +dnl Check if dumpcap should be installed with filesystem capabilities +AC_PATH_PROG(SETCAP, setcap) +AC_ARG_ENABLE(setcap-install, + AC_HELP_STRING( [--enable-setcap-install], + [install dumpcap with cap_net_admin and cap_net_raw @<:@default=no@:>@]), + enable_setcap_install=$enableval,enable_setcap_install=no) + +AC_MSG_CHECKING(whether to install dumpcap with cap_net_admin and cap_net_raw capabilities) +if test "x$enable_setcap_install" = "xno" ; then + AC_MSG_RESULT(no) +else + if test "x$SETCAP" = "x" ; then + AC_MSG_RESULT(no. Setcap not found) + elif test "x$enable_dumpcap" = "xno" ; then + AC_MSG_ERROR(Setcap install works only with dumpcap but dumpcap is disabled) + else + AC_MSG_RESULT(yes) + fi +fi + +AM_CONDITIONAL(SETCAP_INSTALL, test x$enable_setcap_install = xyes) + dnl Check if dumpcap should be installed setuid AC_ARG_ENABLE(setuid-install, AC_HELP_STRING( [--enable-setuid-install], @@ -1261,7 +1283,10 @@ AC_MSG_CHECKING(whether to install dumpcap setuid) if test "x$enable_setuid_install" = "xno" ; then AC_MSG_RESULT(no) else - if test "x$enable_dumpcap" = "xno" ; then + if test "x$enable_setcap_install" = "xyes" ; then + enable_setuid_install=no + AC_MSG_RESULT(no; using setcap instead) + elif test "x$enable_dumpcap" = "xno" ; then AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled) else AC_MSG_RESULT(yes) @@ -1271,6 +1296,22 @@ fi AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes) AC_CHECK_FUNCS(setresuid setresgid) +dnl ...but our Network Operations group is named "no"! +DUMPCAP_GROUP='' +AC_ARG_WITH(dumpcap-group, + AC_HELP_STRING( [--with-dumpcap-group=GROUP], + [restrict dumpcap to GROUP]), +[ + if test "x$withval" = "xyes"; then + AC_MSG_ERROR([No dumpcap group specified.]) + elif test "x$withval" != "xno"; then + AC_MSG_RESULT($withval) + DUMPCAP_GROUP="$withval" + fi +]) +AC_SUBST(DUMPCAP_GROUP) +AM_CONDITIONAL(HAVE_DUMPCAP_GROUP, test x$DUMPCAP_GROUP != x) + dnl libcap (not libpcap) check LIBCAP_LIBS='' AC_MSG_CHECKING(whether to use the libcap capabilities library) @@ -1857,12 +1898,25 @@ dnl AC_CONFIG_FILES([tools/setuid-root.pl], [chmod +x tools/setuid-root.pl]) # Pretty messages +if test "x$enable_setcap_install" = "xyes" ; then + setcap_message="yes" +else + setcap_message="no" +fi + + if test "x$enable_setuid_install" = "xyes" ; then setuid_message="yes" else setuid_message="no" fi +if test "x$DUMPCAP_GROUP" = "x" ; then + dumpcap_group_message="(none)" +else + dumpcap_group_message="$DUMPCAP_GROUP" +fi + if test "x$want_zlib" = "xno" ; then zlib_message="no" else @@ -1948,7 +2002,9 @@ echo " Build randpkt : $enable_randpkt" echo " Build dftest : $enable_dftest" echo " Build rawshark : $enable_rawshark" echo "" +echo " Install dumpcap with capabilities : $setcap_message" echo " Install dumpcap setuid : $setuid_message" +echo " Use dumpcap group : $dumpcap_group_message" echo " Use plugins : $have_plugins" echo " Use lua library : $lua_message" echo " Use python binding : $python_message" diff --git a/doc/README.packaging b/doc/README.packaging index b3f42e1a40..b542dfb82f 100644 --- a/doc/README.packaging +++ b/doc/README.packaging @@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap. WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT. -There are two configure-time options on non-Windows systems that affect -the privileges a normal user needs to capture traffic and list -interfaces: "--enable-setuid-install" and "--with-libcap". Setting -"--enable-setuid-install" to "yes" will install dumpcap setuid root. -This is necessary for non-root users to be able to capture on most -systems, e.g. on Linux or FreeBSD if the user doesn't have permissions -to access /dev/bpf*. It is disabled by default. Note that enabling this -allows packet capture for ALL users on your system. If this is not -desired, you should restrict dumpcap execution to a specific group or -user. +Warnings are displayed when Wireshark and TShark are run as root. + +There are several configure-time options on non-Windows systems that +affect the privileges a normal user needs to capture traffic and list +interfaces: + + --enable-setcap-install Install dumpcap with cap_net_admin and + cap_net_raw capabilities. Linux only. -If the "--with-libcap" option is enabled, dumpcap will try to drop any -setuid privileges it may have while retaining the CAP_NET_ADMIN and -CAP_NET_RAW capabilities. It is enabled by default, if the Linux -capabilities library (on which it depends) is found. + --enable-setuid-install Install dumpcap setuid root. -Warnings are displayed when Wireshark and TShark are run -as root. + --with-libcap If running as root, try to grab + CAP_NET_ADMIN and CAP_NET_RAW, then drop + privileges. Linux only. -For Linux systems that have libcap and the "setcap" utility you can -avoid root altogether: + --with-dumpcap-group=... Restricts dumpcap execution to the + specified group. + +These are necessary for non-root users to be able to capture on most +systems, e.g. on Linux or FreeBSD if the user doesn't have permissions +to access /dev/bpf*. Setcap installation is preferred over setuid on +Linux. If "--enable-setcap-install" is used it will override any setuid +settings. + +The "--with-libcap" option is only useful when dumpcap is installed +setuid. If it is enabled dumpcap will try to drop any setuid privileges +it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW +capabilities. It is enabled by default, if the Linux capabilities +library (on which it depends) is found. + +Note that enabling setcap or setuid installation allows packet capture +for ALL users on your system. If this is not desired, you can restrict +dumpcap execution to a specific group or user. The following two examples +show how to restrict access using setcap and setuid respectively: # groupadd -g packetcapture # chmod 750 /usr/bin/dumpcap # chgrp packetcapture /usr/bin/dumpcap # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap -For Linux systems without filesystem capabilities you can limit root -to dumpcap: - # groupadd -g packetcapture # chgrp packetcapture /usr/bin/dumpcap # chmod 4750 /usr/bin/dumpcap |