From b202480fd8a155fe8f344765c0f80ffe5c1ef70a Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Wed, 27 Feb 2008 01:22:51 +0000 Subject: [PATCH] Expand the setuid text a bit. svn path=/trunk/; revision=24485 --- INSTALL | 8 +++++++- doc/README.packaging | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/INSTALL b/INSTALL index e0da16ffca..6f40027721 100644 --- a/INSTALL +++ b/INSTALL @@ -138,7 +138,13 @@ README.win32 for those instructions. use this switch. --enable-setuid-install - Use this switch to install dumpcap as setuid. + Wireshark and TShark rely on dumpcap for packet capture. Setting this + flag installs dumpcap with setuid root permissions, which lets any user + on the system capture live traffic. If this is not desired, you can + restrict dumpcap's permissions so that only a single user or group can + run it. + + Running Wireshark or TShark as root is not recommended. --without-pcap If you choose to build a packet analyzer that can analyze diff --git a/doc/README.packaging b/doc/README.packaging index 7b43e1da26..400b36e6cd 100644 --- a/doc/README.packaging +++ b/doc/README.packaging @@ -46,7 +46,10 @@ interfaces: "--enable-setuid-install" and "--with-libcap". Setting "--enable-setuid-install" to "yes" will install dumpcap setuid root. This is necessary for non-root users to be able to capture on most systems, e.g. on Linux or FreeBSD if the user doesn't have permissions -to access /dev/bpf*. It is disabled by default. +to access /dev/bpf*. It is disabled by default. Note that enabling this +allows packet capture for ALL users on your system. If this is not +desired, you should restrict dumpcap execution to a specific group or +user. If the "--with-libcap" option is enabled, dumpcap will try to drop any setuid privileges it may have while retaining the CAP_NET_ADMIN and