Add an OS X startup item to set the permissions and/or ownership of the
BPF devices, and add a README.macosx file to explain how to install and use that startup item.
This commit is contained in:
parent
59f566ecfb
commit
4b1ac36c83
|
@ -0,0 +1,33 @@
|
|||
#! /bin/sh
|
||||
|
||||
. /etc/rc.common
|
||||
|
||||
StartService ()
|
||||
{
|
||||
#
|
||||
# Unfortunately, Mac OS X's devfs is based on the old FreeBSD
|
||||
# one, not the current one, so there's no way to configure it
|
||||
# to create BPF devices with particular owners or groups.
|
||||
# This startup item will make it owned by the admin group,
|
||||
# with permissions rw-rw----, so that anybody in the admin
|
||||
# group can use programs that capture or send raw packets.
|
||||
#
|
||||
# Change this as appropriate for your site, e.g. to make
|
||||
# it owned by a particular user without changing the permissions,
|
||||
# so only that user and the super-user can capture or send raw
|
||||
# packets, or give it the permissions rw-r-----, so that
|
||||
# only the super-user can send raw packets but anybody in the
|
||||
# admin group can capture packets.
|
||||
#
|
||||
chgrp admin /dev/bpf*
|
||||
chmod g+rw /dev/bpf*
|
||||
}
|
||||
|
||||
StopService ()
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
RestartService () { StartService; }
|
||||
|
||||
RunService "$1"
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
Description = "Change BPF permissions";
|
||||
Provides = ("Non-root permission to capture or send raw packets");
|
||||
}
|
3
FILES
3
FILES
|
@ -1,4 +1,6 @@
|
|||
CHANGES
|
||||
ChmodBPF/ChmodBPF
|
||||
ChmodBPF/StartupParameters.plist
|
||||
CREDITS
|
||||
FILES
|
||||
INSTALL.txt
|
||||
|
@ -9,6 +11,7 @@ README.aix
|
|||
README.dag
|
||||
README.hpux
|
||||
README.linux
|
||||
README.macosx
|
||||
README.tru64
|
||||
README.Win32
|
||||
SUNOS4/nit_if.o.sparc
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.10 2004-04-05 22:43:50 guy Exp $ (LBL)
|
||||
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.11 2004-10-18 09:51:02 guy Exp $ (LBL)
|
||||
|
||||
To build libpcap, run "./configure" (a shell script). The configure
|
||||
script will determine your system attributes and generate an
|
||||
|
@ -295,6 +295,8 @@ timestamp resolution if it finds it's running on a SS-1).
|
|||
FILES
|
||||
-----
|
||||
CHANGES - description of differences between releases
|
||||
ChmodBPF/* - Mac OS X startup item to set ownership and permissions
|
||||
on /dev/bpf*
|
||||
CREDITS - people that have helped libpcap along
|
||||
FILES - list of files exported as part of the distribution
|
||||
INSTALL.txt - this file
|
||||
|
@ -305,6 +307,7 @@ README.aix - notes on using libpcap on AIX
|
|||
README.dag - notes on using libpcap to capture on Endace DAG devices
|
||||
README.hpux - notes on using libpcap on HP-UX
|
||||
README.linux - notes on using libpcap on Linux
|
||||
README.macosx - notes on using libpcap on Mac OS X
|
||||
README.tru64 - notes on using libpcap on Digital/Tru64 UNIX
|
||||
README.Win32 - notes on using libpcap on Win32 systems (with WinPcap)
|
||||
SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
As with other systems using BPF, Mac OS X allows users with read access
|
||||
to the BPF devices to capture packets with libpcap and allows users with
|
||||
write access to the BPF devices to send packets with libpcap.
|
||||
|
||||
On some systems that use BPF, the BPF devices live on the root file
|
||||
system, and the permissions and/or ownership on those devices can be
|
||||
changed to give users other than root permission to read or write those
|
||||
devices.
|
||||
|
||||
On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
|
||||
can be configured to set the permissions and/or ownership of those
|
||||
devices to give users other than root permission to read or write those
|
||||
devices.
|
||||
|
||||
On Mac OS X, the BPF devices live on devfs, but the OS X version of
|
||||
devfs is based on an older (non-default) FreeBSD devfs, and that version
|
||||
of devfs cannot be configured to set the permissions and/or ownership of
|
||||
those devices.
|
||||
|
||||
Therefore, we supply a "startup item" for OS X that will change the
|
||||
ownership of the BPF devices so that the "admin" group owns them, and
|
||||
will change the permission of the BPF devices to rw-rw----, so that all
|
||||
users in the "admin" group - i.e., all users with "Allow user to
|
||||
administer this computer" turned on - have both read and write access to
|
||||
them.
|
||||
|
||||
The startup item is in the ChmodBPF directory in the source tree. A
|
||||
/Library/StartupItems directory should be created if it doesn't already
|
||||
exist, and the ChmodBPF directory should be copied to the
|
||||
/Library/StartupItems directory (copy the entire directory, so that
|
||||
there's a /Library/StartupItems/ChmodBPF directory, containing all the
|
||||
files in the source tree's ChmodBPF directory; don't copy the individual
|
||||
items in that directory to /Library/StartupItems).
|
||||
|
||||
If you want to give a particular user permission to access the BPF
|
||||
devices, rather than giving all administrative users permission to
|
||||
access them, you can have the ChmodBPF/ChmodBPF script change the
|
||||
ownership of /dev/bpf* without changing the permissions. If you want to
|
||||
give a particular user permission to read and write the BPF devices and
|
||||
give the administrative users permission to read but not write the BPF
|
||||
devices, you can have the script change the owner to that user, the
|
||||
group to "admin", and the permissions to rw-r-----. Other possibilities
|
||||
are left as an exercise for the reader.
|
Reference in New Issue