forked from osmocom/wireshark
Add --enable-setcap-install and --with-dumpcap-group.
svn path=/trunk/; revision=32421
This commit is contained in:
parent
f307dd5a31
commit
1426281ebd
16
Makefile.am
16
Makefile.am
|
@ -817,12 +817,20 @@ EXTRA_DIST = \
|
||||||
wireshark.desktop \
|
wireshark.desktop \
|
||||||
wka.tmpl
|
wka.tmpl
|
||||||
|
|
||||||
if SETUID_INSTALL
|
|
||||||
install-exec-hook:
|
|
||||||
-chmod +s $(DESTDIR)$(bindir)/dumpcap
|
|
||||||
else
|
|
||||||
install-exec-hook:
|
install-exec-hook:
|
||||||
|
if HAVE_DUMPCAP_GROUP
|
||||||
|
-chgrp $(DUMPCAP_GROUP) $(DESTDIR)$(bindir)/dumpcap
|
||||||
endif
|
endif
|
||||||
|
if SETCAP_INSTALL
|
||||||
|
-$(SETCAP) cap_net_raw,cap_net_admin+eip $(DESTDIR)$(bindir)/dumpcap
|
||||||
|
-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
|
||||||
|
else
|
||||||
|
if SETUID_INSTALL
|
||||||
|
-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
|
||||||
|
-chmod +s $(DESTDIR)$(bindir)/dumpcap
|
||||||
|
endif
|
||||||
|
endif
|
||||||
|
|
||||||
|
|
||||||
DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook
|
DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook
|
||||||
|
|
||||||
|
|
58
configure.in
58
configure.in
|
@ -1251,6 +1251,28 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
dnl Check if dumpcap should be installed with filesystem capabilities
|
||||||
|
AC_PATH_PROG(SETCAP, setcap)
|
||||||
|
AC_ARG_ENABLE(setcap-install,
|
||||||
|
AC_HELP_STRING( [--enable-setcap-install],
|
||||||
|
[install dumpcap with cap_net_admin and cap_net_raw @<:@default=no@:>@]),
|
||||||
|
enable_setcap_install=$enableval,enable_setcap_install=no)
|
||||||
|
|
||||||
|
AC_MSG_CHECKING(whether to install dumpcap with cap_net_admin and cap_net_raw capabilities)
|
||||||
|
if test "x$enable_setcap_install" = "xno" ; then
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
|
else
|
||||||
|
if test "x$SETCAP" = "x" ; then
|
||||||
|
AC_MSG_RESULT(no. Setcap not found)
|
||||||
|
elif test "x$enable_dumpcap" = "xno" ; then
|
||||||
|
AC_MSG_ERROR(Setcap install works only with dumpcap but dumpcap is disabled)
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT(yes)
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
AM_CONDITIONAL(SETCAP_INSTALL, test x$enable_setcap_install = xyes)
|
||||||
|
|
||||||
dnl Check if dumpcap should be installed setuid
|
dnl Check if dumpcap should be installed setuid
|
||||||
AC_ARG_ENABLE(setuid-install,
|
AC_ARG_ENABLE(setuid-install,
|
||||||
AC_HELP_STRING( [--enable-setuid-install],
|
AC_HELP_STRING( [--enable-setuid-install],
|
||||||
|
@ -1261,7 +1283,10 @@ AC_MSG_CHECKING(whether to install dumpcap setuid)
|
||||||
if test "x$enable_setuid_install" = "xno" ; then
|
if test "x$enable_setuid_install" = "xno" ; then
|
||||||
AC_MSG_RESULT(no)
|
AC_MSG_RESULT(no)
|
||||||
else
|
else
|
||||||
if test "x$enable_dumpcap" = "xno" ; then
|
if test "x$enable_setcap_install" = "xyes" ; then
|
||||||
|
enable_setuid_install=no
|
||||||
|
AC_MSG_RESULT(no; using setcap instead)
|
||||||
|
elif test "x$enable_dumpcap" = "xno" ; then
|
||||||
AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled)
|
AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled)
|
||||||
else
|
else
|
||||||
AC_MSG_RESULT(yes)
|
AC_MSG_RESULT(yes)
|
||||||
|
@ -1271,6 +1296,22 @@ fi
|
||||||
AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
|
AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
|
||||||
AC_CHECK_FUNCS(setresuid setresgid)
|
AC_CHECK_FUNCS(setresuid setresgid)
|
||||||
|
|
||||||
|
dnl ...but our Network Operations group is named "no"!
|
||||||
|
DUMPCAP_GROUP=''
|
||||||
|
AC_ARG_WITH(dumpcap-group,
|
||||||
|
AC_HELP_STRING( [--with-dumpcap-group=GROUP],
|
||||||
|
[restrict dumpcap to GROUP]),
|
||||||
|
[
|
||||||
|
if test "x$withval" = "xyes"; then
|
||||||
|
AC_MSG_ERROR([No dumpcap group specified.])
|
||||||
|
elif test "x$withval" != "xno"; then
|
||||||
|
AC_MSG_RESULT($withval)
|
||||||
|
DUMPCAP_GROUP="$withval"
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
AC_SUBST(DUMPCAP_GROUP)
|
||||||
|
AM_CONDITIONAL(HAVE_DUMPCAP_GROUP, test x$DUMPCAP_GROUP != x)
|
||||||
|
|
||||||
dnl libcap (not libpcap) check
|
dnl libcap (not libpcap) check
|
||||||
LIBCAP_LIBS=''
|
LIBCAP_LIBS=''
|
||||||
AC_MSG_CHECKING(whether to use the libcap capabilities library)
|
AC_MSG_CHECKING(whether to use the libcap capabilities library)
|
||||||
|
@ -1857,12 +1898,25 @@ dnl AC_CONFIG_FILES([tools/setuid-root.pl], [chmod +x tools/setuid-root.pl])
|
||||||
|
|
||||||
# Pretty messages
|
# Pretty messages
|
||||||
|
|
||||||
|
if test "x$enable_setcap_install" = "xyes" ; then
|
||||||
|
setcap_message="yes"
|
||||||
|
else
|
||||||
|
setcap_message="no"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
if test "x$enable_setuid_install" = "xyes" ; then
|
if test "x$enable_setuid_install" = "xyes" ; then
|
||||||
setuid_message="yes"
|
setuid_message="yes"
|
||||||
else
|
else
|
||||||
setuid_message="no"
|
setuid_message="no"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test "x$DUMPCAP_GROUP" = "x" ; then
|
||||||
|
dumpcap_group_message="(none)"
|
||||||
|
else
|
||||||
|
dumpcap_group_message="$DUMPCAP_GROUP"
|
||||||
|
fi
|
||||||
|
|
||||||
if test "x$want_zlib" = "xno" ; then
|
if test "x$want_zlib" = "xno" ; then
|
||||||
zlib_message="no"
|
zlib_message="no"
|
||||||
else
|
else
|
||||||
|
@ -1948,7 +2002,9 @@ echo " Build randpkt : $enable_randpkt"
|
||||||
echo " Build dftest : $enable_dftest"
|
echo " Build dftest : $enable_dftest"
|
||||||
echo " Build rawshark : $enable_rawshark"
|
echo " Build rawshark : $enable_rawshark"
|
||||||
echo ""
|
echo ""
|
||||||
|
echo " Install dumpcap with capabilities : $setcap_message"
|
||||||
echo " Install dumpcap setuid : $setuid_message"
|
echo " Install dumpcap setuid : $setuid_message"
|
||||||
|
echo " Use dumpcap group : $dumpcap_group_message"
|
||||||
echo " Use plugins : $have_plugins"
|
echo " Use plugins : $have_plugins"
|
||||||
echo " Use lua library : $lua_message"
|
echo " Use lua library : $lua_message"
|
||||||
echo " Use python binding : $python_message"
|
echo " Use python binding : $python_message"
|
||||||
|
|
|
@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap.
|
||||||
WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
|
WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
|
||||||
THEM AS ROOT.
|
THEM AS ROOT.
|
||||||
|
|
||||||
There are two configure-time options on non-Windows systems that affect
|
Warnings are displayed when Wireshark and TShark are run as root.
|
||||||
the privileges a normal user needs to capture traffic and list
|
|
||||||
interfaces: "--enable-setuid-install" and "--with-libcap". Setting
|
There are several configure-time options on non-Windows systems that
|
||||||
"--enable-setuid-install" to "yes" will install dumpcap setuid root.
|
affect the privileges a normal user needs to capture traffic and list
|
||||||
This is necessary for non-root users to be able to capture on most
|
interfaces:
|
||||||
|
|
||||||
|
--enable-setcap-install Install dumpcap with cap_net_admin and
|
||||||
|
cap_net_raw capabilities. Linux only.
|
||||||
|
|
||||||
|
--enable-setuid-install Install dumpcap setuid root.
|
||||||
|
|
||||||
|
--with-libcap If running as root, try to grab
|
||||||
|
CAP_NET_ADMIN and CAP_NET_RAW, then drop
|
||||||
|
privileges. Linux only.
|
||||||
|
|
||||||
|
--with-dumpcap-group=... Restricts dumpcap execution to the
|
||||||
|
specified group.
|
||||||
|
|
||||||
|
These are necessary for non-root users to be able to capture on most
|
||||||
systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
|
systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
|
||||||
to access /dev/bpf*. It is disabled by default. Note that enabling this
|
to access /dev/bpf*. Setcap installation is preferred over setuid on
|
||||||
allows packet capture for ALL users on your system. If this is not
|
Linux. If "--enable-setcap-install" is used it will override any setuid
|
||||||
desired, you should restrict dumpcap execution to a specific group or
|
settings.
|
||||||
user.
|
|
||||||
|
|
||||||
If the "--with-libcap" option is enabled, dumpcap will try to drop any
|
The "--with-libcap" option is only useful when dumpcap is installed
|
||||||
setuid privileges it may have while retaining the CAP_NET_ADMIN and
|
setuid. If it is enabled dumpcap will try to drop any setuid privileges
|
||||||
CAP_NET_RAW capabilities. It is enabled by default, if the Linux
|
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
|
||||||
capabilities library (on which it depends) is found.
|
capabilities. It is enabled by default, if the Linux capabilities
|
||||||
|
library (on which it depends) is found.
|
||||||
|
|
||||||
Warnings are displayed when Wireshark and TShark are run
|
Note that enabling setcap or setuid installation allows packet capture
|
||||||
as root.
|
for ALL users on your system. If this is not desired, you can restrict
|
||||||
|
dumpcap execution to a specific group or user. The following two examples
|
||||||
For Linux systems that have libcap and the "setcap" utility you can
|
show how to restrict access using setcap and setuid respectively:
|
||||||
avoid root altogether:
|
|
||||||
|
|
||||||
# groupadd -g packetcapture
|
# groupadd -g packetcapture
|
||||||
# chmod 750 /usr/bin/dumpcap
|
# chmod 750 /usr/bin/dumpcap
|
||||||
# chgrp packetcapture /usr/bin/dumpcap
|
# chgrp packetcapture /usr/bin/dumpcap
|
||||||
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
|
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
|
||||||
|
|
||||||
For Linux systems without filesystem capabilities you can limit root
|
|
||||||
to dumpcap:
|
|
||||||
|
|
||||||
# groupadd -g packetcapture
|
# groupadd -g packetcapture
|
||||||
# chgrp packetcapture /usr/bin/dumpcap
|
# chgrp packetcapture /usr/bin/dumpcap
|
||||||
# chmod 4750 /usr/bin/dumpcap
|
# chmod 4750 /usr/bin/dumpcap
|
||||||
|
|
Loading…
Reference in New Issue