Add --enable-setcap-install and --with-dumpcap-group.

svn path=/trunk/; revision=32421
2010-04-08 00:02:29 +00:00 · 2010-04-08 00:02:29 +00:00 · 1426281ebd
parent f307dd5a31
commit 1426281ebd
3 changed files with 100 additions and 26 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -817,12 +817,20 @@ EXTRA_DIST = \
 	wireshark.desktop	\
 	wka.tmpl

-if SETUID_INSTALL
-install-exec-hook:
-	-chmod +s $(DESTDIR)$(bindir)/dumpcap
-else
 install-exec-hook:
+if HAVE_DUMPCAP_GROUP
+	-chgrp $(DUMPCAP_GROUP) $(DESTDIR)$(bindir)/dumpcap
 endif
+if SETCAP_INSTALL
+	-$(SETCAP) cap_net_raw,cap_net_admin+eip $(DESTDIR)$(bindir)/dumpcap
+	-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
+else
+if SETUID_INSTALL
+	-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
+	-chmod +s $(DESTDIR)$(bindir)/dumpcap
+endif
+endif
+

 DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook

--- a/configure.in
+++ b/configure.in
@ -1251,6 +1251,28 @@ else
 fi


+dnl Check if dumpcap should be installed with filesystem capabilities
+AC_PATH_PROG(SETCAP, setcap)
+AC_ARG_ENABLE(setcap-install,
+  AC_HELP_STRING( [--enable-setcap-install],
+                  [install dumpcap with cap_net_admin and cap_net_raw @<:@default=no@:>@]),
+    enable_setcap_install=$enableval,enable_setcap_install=no)
+
+AC_MSG_CHECKING(whether to install dumpcap with cap_net_admin and cap_net_raw capabilities)
+if test "x$enable_setcap_install" = "xno" ; then
+	AC_MSG_RESULT(no)
+else
+	if test "x$SETCAP" = "x" ; then
+		AC_MSG_RESULT(no. Setcap not found)
+	elif test "x$enable_dumpcap" = "xno" ; then
+		AC_MSG_ERROR(Setcap install works only with dumpcap but dumpcap is disabled)
+	else
+		AC_MSG_RESULT(yes)
+	fi
+fi
+
+AM_CONDITIONAL(SETCAP_INSTALL, test x$enable_setcap_install = xyes)
+
 dnl Check if dumpcap should be installed setuid
 AC_ARG_ENABLE(setuid-install,
  AC_HELP_STRING( [--enable-setuid-install],
@ -1261,7 +1283,10 @@ AC_MSG_CHECKING(whether to install dumpcap setuid)
 if test "x$enable_setuid_install" = "xno" ; then
 	AC_MSG_RESULT(no)
 else
-	if test "x$enable_dumpcap" = "xno" ; then
+	if test "x$enable_setcap_install" = "xyes" ; then
+		enable_setuid_install=no
+		AC_MSG_RESULT(no; using setcap instead)
+	elif test "x$enable_dumpcap" = "xno" ; then
 		AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled)
 	else
 		AC_MSG_RESULT(yes)
@ -1271,6 +1296,22 @@ fi
 AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
 AC_CHECK_FUNCS(setresuid setresgid)

+dnl ...but our Network Operations group is named "no"!
+DUMPCAP_GROUP=''
+AC_ARG_WITH(dumpcap-group,
+  AC_HELP_STRING( [--with-dumpcap-group=GROUP],
+                  [restrict dumpcap to GROUP]),
+[
+  if test "x$withval" = "xyes"; then
+      AC_MSG_ERROR([No dumpcap group specified.])
+  elif test "x$withval" != "xno"; then
+      AC_MSG_RESULT($withval)
+      DUMPCAP_GROUP="$withval"
+  fi
+])
+AC_SUBST(DUMPCAP_GROUP)
+AM_CONDITIONAL(HAVE_DUMPCAP_GROUP, test x$DUMPCAP_GROUP != x)
+
 dnl libcap (not libpcap) check
 LIBCAP_LIBS=''
 AC_MSG_CHECKING(whether to use the libcap capabilities library)
@ -1857,12 +1898,25 @@ dnl AC_CONFIG_FILES([tools/setuid-root.pl], [chmod +x tools/setuid-root.pl])

 # Pretty messages

+if test "x$enable_setcap_install" = "xyes" ; then
+	setcap_message="yes"
+else
+	setcap_message="no"
+fi
+
+
 if test "x$enable_setuid_install" = "xyes" ; then
 	setuid_message="yes"
 else
 	setuid_message="no"
 fi

+if test "x$DUMPCAP_GROUP" = "x" ; then
+	dumpcap_group_message="(none)"
+else
+	dumpcap_group_message="$DUMPCAP_GROUP"
+fi
+
 if test "x$want_zlib" = "xno" ; then
 	zlib_message="no"
 else
@ -1948,7 +2002,9 @@ echo "                      Build randpkt : $enable_randpkt"
 echo "                       Build dftest : $enable_dftest"
 echo "                     Build rawshark : $enable_rawshark"
 echo ""
+echo "  Install dumpcap with capabilities : $setcap_message"
 echo "             Install dumpcap setuid : $setuid_message"
+echo "                  Use dumpcap group : $dumpcap_group_message"
 echo "                        Use plugins : $have_plugins"
 echo "                    Use lua library : $lua_message"
 echo "                 Use python binding : $python_message"
--- a/doc/README.packaging
+++ b/doc/README.packaging
@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap.
 WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
 THEM AS ROOT.

-There are two configure-time options on non-Windows systems that affect
-the privileges a normal user needs to capture traffic and list
-interfaces: "--enable-setuid-install" and "--with-libcap". Setting
-"--enable-setuid-install" to "yes" will install dumpcap setuid root.
-This is necessary for non-root users to be able to capture on most
+Warnings are displayed when Wireshark and TShark are run as root.
+
+There are several configure-time options on non-Windows systems that
+affect the privileges a normal user needs to capture traffic and list
+interfaces:
+  
+    --enable-setcap-install   Install dumpcap with cap_net_admin and
+                              cap_net_raw capabilities. Linux only.
+
+    --enable-setuid-install   Install dumpcap setuid root.
+
+    --with-libcap             If running as root, try to grab
+                              CAP_NET_ADMIN and CAP_NET_RAW, then drop
+                              privileges. Linux only.
+
+    --with-dumpcap-group=...  Restricts dumpcap execution to the
+                              specified group.
+
+These are necessary for non-root users to be able to capture on most
 systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
-to access /dev/bpf*. It is disabled by default. Note that enabling this
-allows packet capture for ALL users on your system. If this is not
-desired, you should restrict dumpcap execution to a specific group or
-user.
+to access /dev/bpf*. Setcap installation is preferred over setuid on
+Linux. If "--enable-setcap-install" is used it will override any setuid
+settings.

-If the "--with-libcap" option is enabled, dumpcap will try to drop any
-setuid privileges it may have while retaining the CAP_NET_ADMIN and
-CAP_NET_RAW capabilities. It is enabled by default, if the Linux
-capabilities library (on which it depends) is found.
+The "--with-libcap" option is only useful when dumpcap is installed
+setuid. If it is enabled dumpcap will try to drop any setuid privileges
+it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
+capabilities. It is enabled by default, if the Linux capabilities
+library (on which it depends) is found.

-Warnings are displayed when Wireshark and TShark are run
-as root.
-
-For Linux systems that have libcap and the "setcap" utility you can
-avoid root altogether:
+Note that enabling setcap or setuid installation allows packet capture
+for ALL users on your system. If this is not desired, you can restrict
+dumpcap execution to a specific group or user. The following two examples
+show how to restrict access using setcap and setuid respectively:

 # groupadd -g packetcapture
 # chmod 750 /usr/bin/dumpcap
 # chgrp packetcapture /usr/bin/dumpcap
 # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

-For Linux systems without filesystem capabilities you can limit root
-to dumpcap:
-
 # groupadd -g packetcapture
 # chgrp packetcapture /usr/bin/dumpcap
 # chmod 4750 /usr/bin/dumpcap