diff options
author | Gerald Combs <gerald@wireshark.org> | 2008-02-27 01:22:51 +0000 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2008-02-27 01:22:51 +0000 |
commit | b202480fd8a155fe8f344765c0f80ffe5c1ef70a (patch) | |
tree | b1cfe1490a80cabe8acdba32b46d277c1df86cec | |
parent | a2b19b3603f1cb955f9fd37d31c849fa7599997d (diff) |
Expand the setuid text a bit.
svn path=/trunk/; revision=24485
-rw-r--r-- | INSTALL | 8 | ||||
-rw-r--r-- | doc/README.packaging | 5 |
2 files changed, 11 insertions, 2 deletions
@@ -138,7 +138,13 @@ README.win32 for those instructions. use this switch. --enable-setuid-install - Use this switch to install dumpcap as setuid. + Wireshark and TShark rely on dumpcap for packet capture. Setting this + flag installs dumpcap with setuid root permissions, which lets any user + on the system capture live traffic. If this is not desired, you can + restrict dumpcap's permissions so that only a single user or group can + run it. + + Running Wireshark or TShark as root is not recommended. --without-pcap If you choose to build a packet analyzer that can analyze diff --git a/doc/README.packaging b/doc/README.packaging index 7b43e1da26..400b36e6cd 100644 --- a/doc/README.packaging +++ b/doc/README.packaging @@ -46,7 +46,10 @@ interfaces: "--enable-setuid-install" and "--with-libcap". Setting "--enable-setuid-install" to "yes" will install dumpcap setuid root. This is necessary for non-root users to be able to capture on most systems, e.g. on Linux or FreeBSD if the user doesn't have permissions -to access /dev/bpf*. It is disabled by default. +to access /dev/bpf*. It is disabled by default. Note that enabling this +allows packet capture for ALL users on your system. If this is not +desired, you should restrict dumpcap execution to a specific group or +user. If the "--with-libcap" option is enabled, dumpcap will try to drop any setuid privileges it may have while retaining the CAP_NET_ADMIN and |