FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-06-2010, 08:47 PM
Radek VokŠl
 
Default Using capabilities for libpcap apps

Hi all,

I need few suggestions about this ..
https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
Combs, the upstream maintainer of wireshark, suggests to use
capabilities instead of consolehelper+root privileges for
dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
apps in Fedora are already using it and I haven't found any. Honestly
I'm not sure about right way to use them. The idea is to add something
like following to %post

# groupadd -g wireshark
# chgrp wireshark /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

Suggestions? Ideas? Spec file patches?

Any help is welcome.

Radek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 06:31 AM
Dan Hor√°k
 
Default Using capabilities for libpcap apps

Radek Vok√°l p√*Ň°e v √öt 06. 04. 2010 v 22:47 +0200:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap

for creating the group you should use the standard scriptlet from
https://fedoraproject.org/wiki/Packaging/UsersAndGroups and set the
group via %attr in %files

> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

I would add this commands to %post too


Dan


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 06:32 AM
Huzaifa Sidhpurwala
 
Default Using capabilities for libpcap apps

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I was speaking about this with Rahul Sundaram and he pointed me to:
http://fedoraproject.org/wiki/Features/LowerProcessCapabilities

I would suggest using libpcap-ng rather than libpcap if it works.



Radek VokŠl wrote:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> Suggestions? Ideas? Spec file patches?
>
> Any help is welcome.
>
> Radek


- --
Regards,
Huzaifa Sidhpurwala, RHCE, CCNA (IRC: huzaifas)


GnuPG Fingerprint:
3A0F DAFB 9279 02ED 273B FFE9 CC70 DCF2 DA5B DAE5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org/

iD8DBQFLvCbzzHDc8tpb2uURAhmUAJ9m3DzIXyuF5Q87RsRTwW N94KZiYQCfQuAn
gPmMlJxwAKWCGyQJoCBbpSw=
=Wkq8
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 06:34 AM
Huzaifa Sidhpurwala
 
Default Using capabilities for libpcap apps

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Huzaifa Sidhpurwala wrote:

Ah Sorry, scratch the last line please, an oversight
> I would suggest using libpcap-ng rather than libpcap if it works.


- --
Regards,
Huzaifa Sidhpurwala, RHCE, CCNA (IRC: huzaifas)

GnuPG Fingerprint:
3A0F DAFB 9279 02ED 273B FFE9 CC70 DCF2 DA5B DAE5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org/

iD8DBQFLvCeAzHDc8tpb2uURAlpdAJ9+BCrK1bdIlxhVvClowr xcpgnM6ACeJ+m9
z3Nec3oCE70JFCf5EqnpbF0=
=ZK2e
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 10:08 AM
Miroslav Lichvar
 
Default Using capabilities for libpcap apps

On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek VokŠl wrote:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

This is useful to avoid having setuid binary, but how will regular
users get access to the wireshark group? Maybe through policykit?

--
Miroslav Lichvar
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 01:47 PM
"Serge E. Hallyn"
 
Default Using capabilities for libpcap apps

Quoting Miroslav Lichvar (mlichvar@redhat.com):
> On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek VokŠl wrote:
> > Hi all,
> >
> > I need few suggestions about this ..
> > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> > Combs, the upstream maintainer of wireshark, suggests to use
> > capabilities instead of consolehelper+root privileges for
> > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> > apps in Fedora are already using it and I haven't found any. Honestly
> > I'm not sure about right way to use them. The idea is to add something
> > like following to %post
> >
> > # groupadd -g wireshark
> > # chgrp wireshark /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> This is useful to avoid having setuid binary, but how will regular
> users get access to the wireshark group? Maybe through policykit?

The originally quoted URL also says:

# groupadd -g wireshark
# usermod -a -G wireshark gerald

-serge
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-07-2010, 02:00 PM
Colin Walters
 
Default Using capabilities for libpcap apps

2010/4/6 Radek VokŠl <radekvokal@gmail.com>:
> Hi all,
>
> *I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark.

Using PolicyKit instead of hardcoding a Unix group gives a lot more
flexibility to system administrators. For example, in Fedora we
could interactively prompt for the root password by default. Or we
could default to allowing "console users" auth. Or require the user's
password. Or in fact, allow it for a given Unix group.

Basically, you already have the privileged component/user session
separation, which is great, so the dumpcap program just needs to be
runnable as a DBus service, it could expose say an API to get a file
descriptor which gives a dump stream for a given interface.

Documentation lives at: http://hal.freedesktop.org/docs/PolicyKit/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-08-2010, 08:49 PM
Steve Grubb
 
Default Using capabilities for libpcap apps

On Tuesday 06 April 2010 04:47:22 pm Radek VokŠl wrote:
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> Suggestions? Ideas? Spec file patches?

rpm supposedly has native support for capabilities. That would mean that you
don't need to call setcap.

-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-09-2010, 07:30 AM
Radek VokŠl
 
Default Using capabilities for libpcap apps

On 04/08/2010 10:49 PM, Steve Grubb wrote:
> On Tuesday 06 April 2010 04:47:22 pm Radek VokŠl wrote:
>> I need few suggestions about this ..
>> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
>> Combs, the upstream maintainer of wireshark, suggests to use
>> capabilities instead of consolehelper+root privileges for
>> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
>> apps in Fedora are already using it and I haven't found any. Honestly
>> I'm not sure about right way to use them. The idea is to add something
>> like following to %post
>>
>> # groupadd -g wireshark
>> # chgrp wireshark /usr/bin/dumpcap
>> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
>> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>>
>> Suggestions? Ideas? Spec file patches?
>
> rpm supposedly has native support for capabilities. That would mean that you
> don't need to call setcap.
>
> -Steve
>

Are there any docs for that? I haven't found any so far.

Radek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 04-09-2010, 01:13 PM
"Serge E. Hallyn"
 
Default Using capabilities for libpcap apps

Quoting Radek VokŠl (radekvokal@gmail.com):
> On 04/08/2010 10:49 PM, Steve Grubb wrote:
> > On Tuesday 06 April 2010 04:47:22 pm Radek VokŠl wrote:
> >> I need few suggestions about this ..
> >> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> >> Combs, the upstream maintainer of wireshark, suggests to use
> >> capabilities instead of consolehelper+root privileges for
> >> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> >> apps in Fedora are already using it and I haven't found any. Honestly
> >> I'm not sure about right way to use them. The idea is to add something
> >> like following to %post
> >>
> >> # groupadd -g wireshark
> >> # chgrp wireshark /usr/bin/dumpcap
> >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
> >>
> >> Suggestions? Ideas? Spec file patches?
> >
> > rpm supposedly has native support for capabilities. That would mean that you
> > don't need to call setcap.
> >
> > -Steve
> >
>
> Are there any docs for that? I haven't found any so far.

Thread starting here:

http://www.mail-archive.com/rpm-maint@lists.rpm.org/msg01015.html

-serge
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 10:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org