Re: Using capabilities for libpcap apps

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Miroslav Lichvar (mlichvar@xxxxxxxxxx):
> On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
> > Hi all,
> > 
> >   I need few suggestions about this .. 
> > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald 
> > Combs, the upstream maintainer of wireshark, suggests to use 
> > capabilities instead of consolehelper+root privileges for 
> > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other 
> > apps in Fedora are already using it and I haven't found any. Honestly 
> > I'm not sure about right way to use them. The idea is to add something 
> > like following to %post
> > 
> > # groupadd -g wireshark
> > # chgrp wireshark /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
> 
> This is useful to avoid having setuid binary, but how will regular
> users get access to the wireshark group? Maybe through policykit?

The originally quoted URL also says:

# groupadd -g wireshark
# usermod -a -G wireshark gerald

-serge
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux