Add --enable-setcap-install and --with-dumpcap-group.

svn path=/trunk/; revision=32421
2010-04-08 00:02:29 +00:00 · 2010-04-08 00:02:29 +00:00 · 1426281ebd
parent f307dd5a31
commit 1426281ebd
3 changed files with 100 additions and 26 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -817,12 +817,20 @@ EXTRA_DIST = \
 	wireshark.desktop	\
 	wka.tmpl
 if SETUID_INSTALL
 install-exec-hook:
 	-chmod +s $(DESTDIR)$(bindir)/dumpcap
 else
 install-exec-hook:
 if HAVE_DUMPCAP_GROUP
 	-chgrp $(DUMPCAP_GROUP) $(DESTDIR)$(bindir)/dumpcap
 endif
 if SETCAP_INSTALL
 	-$(SETCAP) cap_net_raw,cap_net_admin+eip $(DESTDIR)$(bindir)/dumpcap
 	-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
 else
 if SETUID_INSTALL
 	-chmod o-rws $(DESTDIR)$(bindir)/dumpcap
 	-chmod +s $(DESTDIR)$(bindir)/dumpcap
 endif
 endif
 DIST_SUBDIRS = asn1 codecs doc epan gtk help packaging plugins tools wiretap wsutil docbook
--- a/configure.in
+++ b/configure.in
@ -1251,6 +1251,28 @@ else
 fi
 dnl Check if dumpcap should be installed with filesystem capabilities
 AC_PATH_PROG(SETCAP, setcap)
 AC_ARG_ENABLE(setcap-install,
  AC_HELP_STRING( [--enable-setcap-install],
                  [install dumpcap with cap_net_admin and cap_net_raw @<:@default=no@:>@]),
    enable_setcap_install=$enableval,enable_setcap_install=no)
 AC_MSG_CHECKING(whether to install dumpcap with cap_net_admin and cap_net_raw capabilities)
 if test "x$enable_setcap_install" = "xno" ; then
 	AC_MSG_RESULT(no)
 else
 	if test "x$SETCAP" = "x" ; then
 		AC_MSG_RESULT(no. Setcap not found)
 	elif test "x$enable_dumpcap" = "xno" ; then
 		AC_MSG_ERROR(Setcap install works only with dumpcap but dumpcap is disabled)
 	else
 		AC_MSG_RESULT(yes)
 	fi
 fi
 AM_CONDITIONAL(SETCAP_INSTALL, test x$enable_setcap_install = xyes)
 dnl Check if dumpcap should be installed setuid
 AC_ARG_ENABLE(setuid-install,
  AC_HELP_STRING( [--enable-setuid-install],
@ -1261,7 +1283,10 @@ AC_MSG_CHECKING(whether to install dumpcap setuid)
 if test "x$enable_setuid_install" = "xno" ; then
 	AC_MSG_RESULT(no)
 else
-	if test "x$enable_dumpcap" = "xno" ; then
+	if test "x$enable_setcap_install" = "xyes" ; then
 		enable_setuid_install=no
 		AC_MSG_RESULT(no; using setcap instead)
 	elif test "x$enable_dumpcap" = "xno" ; then
 		AC_MSG_ERROR(Setuid install works only with dumpcap but dumpcap is disabled)
 	else
 		AC_MSG_RESULT(yes)
@ -1271,6 +1296,22 @@ fi
 AM_CONDITIONAL(SETUID_INSTALL, test x$enable_setuid_install = xyes)
 AC_CHECK_FUNCS(setresuid setresgid)
 dnl ...but our Network Operations group is named "no"!
 DUMPCAP_GROUP=''
 AC_ARG_WITH(dumpcap-group,
  AC_HELP_STRING( [--with-dumpcap-group=GROUP],
                  [restrict dumpcap to GROUP]),
 [
  if test "x$withval" = "xyes"; then
      AC_MSG_ERROR([No dumpcap group specified.])
  elif test "x$withval" != "xno"; then
      AC_MSG_RESULT($withval)
      DUMPCAP_GROUP="$withval"
  fi
 ])
 AC_SUBST(DUMPCAP_GROUP)
 AM_CONDITIONAL(HAVE_DUMPCAP_GROUP, test x$DUMPCAP_GROUP != x)
 dnl libcap (not libpcap) check
 LIBCAP_LIBS=''
 AC_MSG_CHECKING(whether to use the libcap capabilities library)
@ -1857,12 +1898,25 @@ dnl AC_CONFIG_FILES([tools/setuid-root.pl], [chmod +x tools/setuid-root.pl])
 # Pretty messages
 if test "x$enable_setcap_install" = "xyes" ; then
 	setcap_message="yes"
 else
 	setcap_message="no"
 fi
 if test "x$enable_setuid_install" = "xyes" ; then
 	setuid_message="yes"
 else
 	setuid_message="no"
 fi
 if test "x$DUMPCAP_GROUP" = "x" ; then
 	dumpcap_group_message="(none)"
 else
 	dumpcap_group_message="$DUMPCAP_GROUP"
 fi
 if test "x$want_zlib" = "xno" ; then
 	zlib_message="no"
 else
@ -1948,7 +2002,9 @@ echo "                      Build randpkt : $enable_randpkt"
 echo "                       Build dftest : $enable_dftest"
 echo "                     Build rawshark : $enable_rawshark"
 echo ""
 echo "  Install dumpcap with capabilities : $setcap_message"
 echo "             Install dumpcap setuid : $setuid_message"
 echo "                  Use dumpcap group : $dumpcap_group_message"
 echo "                        Use plugins : $have_plugins"
 echo "                    Use lua library : $lua_message"
 echo "                 Use python binding : $python_message"
--- a/doc/README.packaging
+++ b/doc/README.packaging
@ -40,36 +40,46 @@ privileges have been moved out of the GUI to dumpcap.
 WIRESHARK CONTAINS NEARLY TWO MILLION LINES OF SOURCE CODE. DO NOT RUN
 THEM AS ROOT.
-There are two configure-time options on non-Windows systems that affect
+Warnings are displayed when Wireshark and TShark are run as root.
-the privileges a normal user needs to capture traffic and list
+
-interfaces: "--enable-setuid-install" and "--with-libcap". Setting
+There are several configure-time options on non-Windows systems that
-"--enable-setuid-install" to "yes" will install dumpcap setuid root.
+affect the privileges a normal user needs to capture traffic and list
-This is necessary for non-root users to be able to capture on most
+interfaces:
    --enable-setcap-install   Install dumpcap with cap_net_admin and
                              cap_net_raw capabilities. Linux only.
    --enable-setuid-install   Install dumpcap setuid root.
    --with-libcap             If running as root, try to grab
                              CAP_NET_ADMIN and CAP_NET_RAW, then drop
                              privileges. Linux only.
    --with-dumpcap-group=...  Restricts dumpcap execution to the
                              specified group.
 These are necessary for non-root users to be able to capture on most
 systems, e.g. on Linux or FreeBSD if the user doesn't have permissions
-to access /dev/bpf*. It is disabled by default. Note that enabling this
+to access /dev/bpf*. Setcap installation is preferred over setuid on
-allows packet capture for ALL users on your system. If this is not
+Linux. If "--enable-setcap-install" is used it will override any setuid
-desired, you should restrict dumpcap execution to a specific group or
+settings.
 user.
-If the "--with-libcap" option is enabled, dumpcap will try to drop any
+The "--with-libcap" option is only useful when dumpcap is installed
-setuid privileges it may have while retaining the CAP_NET_ADMIN and
+setuid. If it is enabled dumpcap will try to drop any setuid privileges
-CAP_NET_RAW capabilities. It is enabled by default, if the Linux
+it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
-capabilities library (on which it depends) is found.
+capabilities. It is enabled by default, if the Linux capabilities
 library (on which it depends) is found.
-Warnings are displayed when Wireshark and TShark are run
+Note that enabling setcap or setuid installation allows packet capture
-as root.
+for ALL users on your system. If this is not desired, you can restrict
-
+dumpcap execution to a specific group or user. The following two examples
-For Linux systems that have libcap and the "setcap" utility you can
+show how to restrict access using setcap and setuid respectively:
 avoid root altogether:
 # groupadd -g packetcapture
 # chmod 750 /usr/bin/dumpcap
 # chgrp packetcapture /usr/bin/dumpcap
 # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
 For Linux systems without filesystem capabilities you can limit root
 to dumpcap:
 # groupadd -g packetcapture
 # chgrp packetcapture /usr/bin/dumpcap
 # chmod 4750 /usr/bin/dumpcap