Ethereal-users: Re: [Ethereal-users] Give user read-only access to eth0?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Wed, 09 Mar 2005 10:11:46 -0800
Jago Pearce wrote:


I'd like to give a user access to sniffing without allowing them to
trash everything.

Is there a better way of doing this?

I'd say "install {Free,Net,Open}BSD or Darwin and give them read-only 
access to /dev/bpf*", but that's probably not a solution that'd work for 
you, and it wouldn't give you access to eth0 in any case, as, after 
doing that, the interface wouldn't be called "eth0", it'd have some 
other name such as "fxp0" or "en0". :-)

Unfortunately, even if you could arrange that Ethereal, when run by a 
particular user, had particular capability bits, I don't *think* Linux 
has separate capability bits for "capture raw packets" and "send raw 
packets" - I think CAP_NET_RAW gives you both capabilities.

If that's not so, and there are separate bits in newer kernels, and you 
can arrange that Ethereal, when run by a particular user, has the 
"capture" capability but not the "send" capability, that might work - 
but I don't know whether the capability bits are supported to the extent 
that you can do that.