Wireshark-dev: Re: [Wireshark-dev] GSoC 2013 Project Proposal for Root permissions in wireshark
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Mon, 29 Apr 2013 09:26:30 -0700
On 4/28/13 12:02 PM, Guy Harris wrote:
> 
> On Apr 28, 2013, at 7:43 AM, Surbhi Jain <jainsurbhi024@xxxxxxxxx> wrote:
> 
>> When we install WIRESHARK or most of the softwares on any distro, window prompts up asking for root password. When the installation of the software starts, can't we run a script which will allow the logged in user or third-party user to view the listed interfaces of the system.
> 
> That's what happens with the OS X installer; it runs a script that adds a new access_bpf group to the system, makes the user a member of the group, and installs a StartupItem (run at boot time) to change the permissions of all the /dev/bpf* devices to rw-rw-r-- and the group owner of them to access_bpf (and runs that script) so that anybody in the access_bpf group can capture traffic without requiring root permissions.

One of the problems with this approach is that new, inaccessbile bpf
devices can be created at any time. For example if you open all of the
interfaces at the same time in order to draw pretty sparklines on the
main screen and then try to open an interface for capture the system
will create a new bpf device with default permissions. It might make
sense to handle this at run time (e.g. by running dumpcap via launchd)
instead of at boot time.


> For a given distribution, *if* the kernel supports capabilities, the installer for a given distribution could ensure that dumpcap has the right capabilities set, and can also make it not readable and executable except by the owner and some group; I think some distributions *might* do this already, but others might not.
> 
> Whether that can be done, and how that's done, depends on the distribution - and whether, if we put it into *our* packaging for that distribution, the distribution won't just remove it, is another matter.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>