From 1426281ebdeb10aa8d39c7a0a83edfa87abf62f0 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Thu, 8 Apr 2010 00:02:29 +0000 Subject: Add --enable-setcap-install and --with-dumpcap-group. svn path=/trunk/; revision=32421 --- doc/README.packaging | 52 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 21 deletions(-) (limited to 'doc/README.packaging') diff --git a/doc/README.packaging b/doc/README.packaging index b3f42e1a40..b542dfb82f 100644 --- a/doc/README.packaging +++ b/doc/README.packaging @@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap. WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT. -There are two configure-time options on non-Windows systems that affect -the privileges a normal user needs to capture traffic and list -interfaces: "--enable-setuid-install" and "--with-libcap". Setting -"--enable-setuid-install" to "yes" will install dumpcap setuid root. -This is necessary for non-root users to be able to capture on most -systems, e.g. on Linux or FreeBSD if the user doesn't have permissions -to access /dev/bpf*. It is disabled by default. Note that enabling this -allows packet capture for ALL users on your system. If this is not -desired, you should restrict dumpcap execution to a specific group or -user. +Warnings are displayed when Wireshark and TShark are run as root. + +There are several configure-time options on non-Windows systems that +affect the privileges a normal user needs to capture traffic and list +interfaces: + + --enable-setcap-install Install dumpcap with cap_net_admin and + cap_net_raw capabilities. Linux only. -If the "--with-libcap" option is enabled, dumpcap will try to drop any -setuid privileges it may have while retaining the CAP_NET_ADMIN and -CAP_NET_RAW capabilities. It is enabled by default, if the Linux -capabilities library (on which it depends) is found. + --enable-setuid-install Install dumpcap setuid root. -Warnings are displayed when Wireshark and TShark are run -as root. + --with-libcap If running as root, try to grab + CAP_NET_ADMIN and CAP_NET_RAW, then drop + privileges. Linux only. -For Linux systems that have libcap and the "setcap" utility you can -avoid root altogether: + --with-dumpcap-group=... Restricts dumpcap execution to the + specified group. + +These are necessary for non-root users to be able to capture on most +systems, e.g. on Linux or FreeBSD if the user doesn't have permissions +to access /dev/bpf*. Setcap installation is preferred over setuid on +Linux. If "--enable-setcap-install" is used it will override any setuid +settings. + +The "--with-libcap" option is only useful when dumpcap is installed +setuid. If it is enabled dumpcap will try to drop any setuid privileges +it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW +capabilities. It is enabled by default, if the Linux capabilities +library (on which it depends) is found. + +Note that enabling setcap or setuid installation allows packet capture +for ALL users on your system. If this is not desired, you can restrict +dumpcap execution to a specific group or user. The following two examples +show how to restrict access using setcap and setuid respectively: # groupadd -g packetcapture # chmod 750 /usr/bin/dumpcap # chgrp packetcapture /usr/bin/dumpcap # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap -For Linux systems without filesystem capabilities you can limit root -to dumpcap: - # groupadd -g packetcapture # chgrp packetcapture /usr/bin/dumpcap # chmod 4750 /usr/bin/dumpcap -- cgit v1.2.3