Add an OS X startup item to set the permissions and/or ownership of the
BPF devices, and add a README.macosx file to explain how to install and use that startup item.
This commit is contained in:
parent
59f566ecfb
commit
4b1ac36c83
|
@ -0,0 +1,33 @@
|
||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
. /etc/rc.common
|
||||||
|
|
||||||
|
StartService ()
|
||||||
|
{
|
||||||
|
#
|
||||||
|
# Unfortunately, Mac OS X's devfs is based on the old FreeBSD
|
||||||
|
# one, not the current one, so there's no way to configure it
|
||||||
|
# to create BPF devices with particular owners or groups.
|
||||||
|
# This startup item will make it owned by the admin group,
|
||||||
|
# with permissions rw-rw----, so that anybody in the admin
|
||||||
|
# group can use programs that capture or send raw packets.
|
||||||
|
#
|
||||||
|
# Change this as appropriate for your site, e.g. to make
|
||||||
|
# it owned by a particular user without changing the permissions,
|
||||||
|
# so only that user and the super-user can capture or send raw
|
||||||
|
# packets, or give it the permissions rw-r-----, so that
|
||||||
|
# only the super-user can send raw packets but anybody in the
|
||||||
|
# admin group can capture packets.
|
||||||
|
#
|
||||||
|
chgrp admin /dev/bpf*
|
||||||
|
chmod g+rw /dev/bpf*
|
||||||
|
}
|
||||||
|
|
||||||
|
StopService ()
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
RestartService () { StartService; }
|
||||||
|
|
||||||
|
RunService "$1"
|
|
@ -0,0 +1,4 @@
|
||||||
|
{
|
||||||
|
Description = "Change BPF permissions";
|
||||||
|
Provides = ("Non-root permission to capture or send raw packets");
|
||||||
|
}
|
3
FILES
3
FILES
|
@ -1,4 +1,6 @@
|
||||||
CHANGES
|
CHANGES
|
||||||
|
ChmodBPF/ChmodBPF
|
||||||
|
ChmodBPF/StartupParameters.plist
|
||||||
CREDITS
|
CREDITS
|
||||||
FILES
|
FILES
|
||||||
INSTALL.txt
|
INSTALL.txt
|
||||||
|
@ -9,6 +11,7 @@ README.aix
|
||||||
README.dag
|
README.dag
|
||||||
README.hpux
|
README.hpux
|
||||||
README.linux
|
README.linux
|
||||||
|
README.macosx
|
||||||
README.tru64
|
README.tru64
|
||||||
README.Win32
|
README.Win32
|
||||||
SUNOS4/nit_if.o.sparc
|
SUNOS4/nit_if.o.sparc
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.10 2004-04-05 22:43:50 guy Exp $ (LBL)
|
@(#) $Header: /tcpdump/master/libpcap/INSTALL.txt,v 1.11 2004-10-18 09:51:02 guy Exp $ (LBL)
|
||||||
|
|
||||||
To build libpcap, run "./configure" (a shell script). The configure
|
To build libpcap, run "./configure" (a shell script). The configure
|
||||||
script will determine your system attributes and generate an
|
script will determine your system attributes and generate an
|
||||||
|
@ -295,6 +295,8 @@ timestamp resolution if it finds it's running on a SS-1).
|
||||||
FILES
|
FILES
|
||||||
-----
|
-----
|
||||||
CHANGES - description of differences between releases
|
CHANGES - description of differences between releases
|
||||||
|
ChmodBPF/* - Mac OS X startup item to set ownership and permissions
|
||||||
|
on /dev/bpf*
|
||||||
CREDITS - people that have helped libpcap along
|
CREDITS - people that have helped libpcap along
|
||||||
FILES - list of files exported as part of the distribution
|
FILES - list of files exported as part of the distribution
|
||||||
INSTALL.txt - this file
|
INSTALL.txt - this file
|
||||||
|
@ -305,6 +307,7 @@ README.aix - notes on using libpcap on AIX
|
||||||
README.dag - notes on using libpcap to capture on Endace DAG devices
|
README.dag - notes on using libpcap to capture on Endace DAG devices
|
||||||
README.hpux - notes on using libpcap on HP-UX
|
README.hpux - notes on using libpcap on HP-UX
|
||||||
README.linux - notes on using libpcap on Linux
|
README.linux - notes on using libpcap on Linux
|
||||||
|
README.macosx - notes on using libpcap on Mac OS X
|
||||||
README.tru64 - notes on using libpcap on Digital/Tru64 UNIX
|
README.tru64 - notes on using libpcap on Digital/Tru64 UNIX
|
||||||
README.Win32 - notes on using libpcap on Win32 systems (with WinPcap)
|
README.Win32 - notes on using libpcap on Win32 systems (with WinPcap)
|
||||||
SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules
|
SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
As with other systems using BPF, Mac OS X allows users with read access
|
||||||
|
to the BPF devices to capture packets with libpcap and allows users with
|
||||||
|
write access to the BPF devices to send packets with libpcap.
|
||||||
|
|
||||||
|
On some systems that use BPF, the BPF devices live on the root file
|
||||||
|
system, and the permissions and/or ownership on those devices can be
|
||||||
|
changed to give users other than root permission to read or write those
|
||||||
|
devices.
|
||||||
|
|
||||||
|
On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
|
||||||
|
can be configured to set the permissions and/or ownership of those
|
||||||
|
devices to give users other than root permission to read or write those
|
||||||
|
devices.
|
||||||
|
|
||||||
|
On Mac OS X, the BPF devices live on devfs, but the OS X version of
|
||||||
|
devfs is based on an older (non-default) FreeBSD devfs, and that version
|
||||||
|
of devfs cannot be configured to set the permissions and/or ownership of
|
||||||
|
those devices.
|
||||||
|
|
||||||
|
Therefore, we supply a "startup item" for OS X that will change the
|
||||||
|
ownership of the BPF devices so that the "admin" group owns them, and
|
||||||
|
will change the permission of the BPF devices to rw-rw----, so that all
|
||||||
|
users in the "admin" group - i.e., all users with "Allow user to
|
||||||
|
administer this computer" turned on - have both read and write access to
|
||||||
|
them.
|
||||||
|
|
||||||
|
The startup item is in the ChmodBPF directory in the source tree. A
|
||||||
|
/Library/StartupItems directory should be created if it doesn't already
|
||||||
|
exist, and the ChmodBPF directory should be copied to the
|
||||||
|
/Library/StartupItems directory (copy the entire directory, so that
|
||||||
|
there's a /Library/StartupItems/ChmodBPF directory, containing all the
|
||||||
|
files in the source tree's ChmodBPF directory; don't copy the individual
|
||||||
|
items in that directory to /Library/StartupItems).
|
||||||
|
|
||||||
|
If you want to give a particular user permission to access the BPF
|
||||||
|
devices, rather than giving all administrative users permission to
|
||||||
|
access them, you can have the ChmodBPF/ChmodBPF script change the
|
||||||
|
ownership of /dev/bpf* without changing the permissions. If you want to
|
||||||
|
give a particular user permission to read and write the BPF devices and
|
||||||
|
give the administrative users permission to read but not write the BPF
|
||||||
|
devices, you can have the script change the owner to that user, the
|
||||||
|
group to "admin", and the permissions to rw-r-----. Other possibilities
|
||||||
|
are left as an exercise for the reader.
|
Reference in New Issue