forked from osmocom/wireshark
Add --enable-setcap-install and --with-dumpcap-group.
svn path=/trunk/; revision=32421
This commit is contained in:
parent
f307dd5a31
commit
1426281ebd
16
Makefile.am
16
Makefile.am
|
@ -817,12 +817,20 @@ EXTRA_DIST = \
|
|||
wireshark.desktop \
|
||||
wka.tmpl
|
||||
|
||||
if SETUID_INSTALL
|
||||
install-exec-hook:
|
||||
-chmod +s $(DESTDIR)$(bindir)/dumpcap
|
||||
else
|
||||
install-exec-hook:
|
||||
if HAVE_DUMPCAP_GROUP
|
||||
-chgrp $(DUMPCAP_GROUP) $(DESTDIR)$(bindir)/dumpcap
|
||||
endif
|
||||
if SETCAP_INSTALL
|
||||
-$(SETCAP) cap_net_raw,cap_net_admin+eip $(DESTDIR)$(bindir)/dumpcap
|
||||
-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
|
||||
else
|
||||
if SETUID_INSTALL
|
||||
-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
|
||||
-chmod +s $(DESTDIR)$(bindir)/dumpcap
|
||||
endif
|
||||
endif
|
||||
|
||||
|
||||
DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook
|
||||
|
||||
|
|
58
configure.in
58
configure.in
|
@ -1251,6 +1251,28 @@ else
|
|||
fi
|
||||
|
||||
|
||||
dnl Check if dumpcap should be installed with filesystem capabilities
|
||||
AC_PATH_PROG(SETCAP, setcap)
|
||||
AC_ARG_ENABLE(setcap-install,
|
||||
AC_HELP_STRING( [--enable-setcap-install],
|
||||
[install dumpcap with cap_net_admin and cap_net_raw @<:@default=no@:>@]),
|
||||
enable_setcap_install=$enableval,enable_setcap_install=no)
|
||||
|
||||
AC_MSG_CHECKING(whether to install dumpcap with cap_net_admin and cap_net_raw capabilities)
|
||||
if test "x$enable_setcap_install" = "xno" ; then
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
if test "x$SETCAP" = "x" ; then
|
||||
AC_MSG_RESULT(no. Setcap not found)
|
||||
elif test "x$enable_dumpcap" = "xno" ; then
|
||||
AC_MSG_ERROR(Setcap install works only with dumpcap but dumpcap is disabled)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
fi
|
||||
fi
|
||||
|
||||
AM_CONDITIONAL(SETCAP_INSTALL, test x$enable_setcap_install = xyes)
|
||||
|
||||
dnl Check if dumpcap should be installed setuid
|
||||
AC_ARG_ENABLE(setuid-install,
|
||||
AC_HELP_STRING( [--enable-setuid-install],
|
||||
|
@ -1261,7 +1283,10 @@ AC_MSG_CHECKING(whether to install dumpcap setuid)
|
|||
if test "x$enable_setuid_install" = "xno" ; then
|
||||
AC_MSG_RESULT(no)
|
||||
else
|
||||
if test "x$enable_dumpcap" = "xno" ; then
|
||||
if test "x$enable_setcap_install" = "xyes" ; then
|
||||
enable_setuid_install=no
|
||||
AC_MSG_RESULT(no; using setcap instead)
|
||||
elif test "x$enable_dumpcap" = "xno" ; then
|
||||
AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled)
|
||||
else
|
||||
AC_MSG_RESULT(yes)
|
||||
|
@ -1271,6 +1296,22 @@ fi
|
|||
AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
|
||||
AC_CHECK_FUNCS(setresuid setresgid)
|
||||
|
||||
dnl ...but our Network Operations group is named "no"!
|
||||
DUMPCAP_GROUP=''
|
||||
AC_ARG_WITH(dumpcap-group,
|
||||
AC_HELP_STRING( [--with-dumpcap-group=GROUP],
|
||||
[restrict dumpcap to GROUP]),
|
||||
[
|
||||
if test "x$withval" = "xyes"; then
|
||||
AC_MSG_ERROR([No dumpcap group specified.])
|
||||
elif test "x$withval" != "xno"; then
|
||||
AC_MSG_RESULT($withval)
|
||||
DUMPCAP_GROUP="$withval"
|
||||
fi
|
||||
])
|
||||
AC_SUBST(DUMPCAP_GROUP)
|
||||
AM_CONDITIONAL(HAVE_DUMPCAP_GROUP, test x$DUMPCAP_GROUP != x)
|
||||
|
||||
dnl libcap (not libpcap) check
|
||||
LIBCAP_LIBS=''
|
||||
AC_MSG_CHECKING(whether to use the libcap capabilities library)
|
||||
|
@ -1857,12 +1898,25 @@ dnl AC_CONFIG_FILES([tools/setuid-root.pl], [chmod +x tools/setuid-root.pl])
|
|||
|
||||
# Pretty messages
|
||||
|
||||
if test "x$enable_setcap_install" = "xyes" ; then
|
||||
setcap_message="yes"
|
||||
else
|
||||
setcap_message="no"
|
||||
fi
|
||||
|
||||
|
||||
if test "x$enable_setuid_install" = "xyes" ; then
|
||||
setuid_message="yes"
|
||||
else
|
||||
setuid_message="no"
|
||||
fi
|
||||
|
||||
if test "x$DUMPCAP_GROUP" = "x" ; then
|
||||
dumpcap_group_message="(none)"
|
||||
else
|
||||
dumpcap_group_message="$DUMPCAP_GROUP"
|
||||
fi
|
||||
|
||||
if test "x$want_zlib" = "xno" ; then
|
||||
zlib_message="no"
|
||||
else
|
||||
|
@ -1948,7 +2002,9 @@ echo " Build randpkt : $enable_randpkt"
|
|||
echo " Build dftest : $enable_dftest"
|
||||
echo " Build rawshark : $enable_rawshark"
|
||||
echo ""
|
||||
echo " Install dumpcap with capabilities : $setcap_message"
|
||||
echo " Install dumpcap setuid : $setuid_message"
|
||||
echo " Use dumpcap group : $dumpcap_group_message"
|
||||
echo " Use plugins : $have_plugins"
|
||||
echo " Use lua library : $lua_message"
|
||||
echo " Use python binding : $python_message"
|
||||
|
|
|
@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap.
|
|||
WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
|
||||
THEM AS ROOT.
|
||||
|
||||
There are two configure-time options on non-Windows systems that affect
|
||||
the privileges a normal user needs to capture traffic and list
|
||||
interfaces: "--enable-setuid-install" and "--with-libcap". Setting
|
||||
"--enable-setuid-install" to "yes" will install dumpcap setuid root.
|
||||
This is necessary for non-root users to be able to capture on most
|
||||
Warnings are displayed when Wireshark and TShark are run as root.
|
||||
|
||||
There are several configure-time options on non-Windows systems that
|
||||
affect the privileges a normal user needs to capture traffic and list
|
||||
interfaces:
|
||||
|
||||
--enable-setcap-install Install dumpcap with cap_net_admin and
|
||||
cap_net_raw capabilities. Linux only.
|
||||
|
||||
--enable-setuid-install Install dumpcap setuid root.
|
||||
|
||||
--with-libcap If running as root, try to grab
|
||||
CAP_NET_ADMIN and CAP_NET_RAW, then drop
|
||||
privileges. Linux only.
|
||||
|
||||
--with-dumpcap-group=... Restricts dumpcap execution to the
|
||||
specified group.
|
||||
|
||||
These are necessary for non-root users to be able to capture on most
|
||||
systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
|
||||
to access /dev/bpf*. It is disabled by default. Note that enabling this
|
||||
allows packet capture for ALL users on your system. If this is not
|
||||
desired, you should restrict dumpcap execution to a specific group or
|
||||
user.
|
||||
to access /dev/bpf*. Setcap installation is preferred over setuid on
|
||||
Linux. If "--enable-setcap-install" is used it will override any setuid
|
||||
settings.
|
||||
|
||||
If the "--with-libcap" option is enabled, dumpcap will try to drop any
|
||||
setuid privileges it may have while retaining the CAP_NET_ADMIN and
|
||||
CAP_NET_RAW capabilities. It is enabled by default, if the Linux
|
||||
capabilities library (on which it depends) is found.
|
||||
The "--with-libcap" option is only useful when dumpcap is installed
|
||||
setuid. If it is enabled dumpcap will try to drop any setuid privileges
|
||||
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
|
||||
capabilities. It is enabled by default, if the Linux capabilities
|
||||
library (on which it depends) is found.
|
||||
|
||||
Warnings are displayed when Wireshark and TShark are run
|
||||
as root.
|
||||
|
||||
For Linux systems that have libcap and the "setcap" utility you can
|
||||
avoid root altogether:
|
||||
Note that enabling setcap or setuid installation allows packet capture
|
||||
for ALL users on your system. If this is not desired, you can restrict
|
||||
dumpcap execution to a specific group or user. The following two examples
|
||||
show how to restrict access using setcap and setuid respectively:
|
||||
|
||||
# groupadd -g packetcapture
|
||||
# chmod 750 /usr/bin/dumpcap
|
||||
# chgrp packetcapture /usr/bin/dumpcap
|
||||
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
|
||||
|
||||
For Linux systems without filesystem capabilities you can limit root
|
||||
to dumpcap:
|
||||
|
||||
# groupadd -g packetcapture
|
||||
# chgrp packetcapture /usr/bin/dumpcap
|
||||
# chmod 4750 /usr/bin/dumpcap
|
||||
|
|
Loading…
Reference in New Issue