I need few suggestions about this ..
https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
Combs, the upstream maintainer of wireshark, suggests to use
capabilities instead of consolehelper+root privileges for
dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
apps in Fedora are already using it and I haven't found any. Honestly
I'm not sure about right way to use them. The idea is to add something
like following to %post
Radek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-07-2010, 06:31 AM
Dan Horák
Using capabilities for libpcap apps
Radek Vokál pÃ*Å¡e v Út 06. 04. 2010 v 22:47 +0200:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
for creating the group you should use the standard scriptlet from
https://fedoraproject.org/wiki/Packaging/UsersAndGroups and set the
group via %attr in %files
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-07-2010, 06:32 AM
Huzaifa Sidhpurwala
Using capabilities for libpcap apps
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I was speaking about this with Rahul Sundaram and he pointed me to:
http://fedoraproject.org/wiki/Features/LowerProcessCapabilities
I would suggest using libpcap-ng rather than libpcap if it works.
Radek Vokál wrote:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> Suggestions? Ideas? Spec file patches?
>
> Any help is welcome.
>
> Radek
On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
> Hi all,
>
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
This is useful to avoid having setuid binary, but how will regular
users get access to the wireshark group? Maybe through policykit?
--
Miroslav Lichvar
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-07-2010, 01:47 PM
"Serge E. Hallyn"
Using capabilities for libpcap apps
Quoting Miroslav Lichvar (mlichvar@redhat.com):
> On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
> > Hi all,
> >
> > I need few suggestions about this ..
> > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> > Combs, the upstream maintainer of wireshark, suggests to use
> > capabilities instead of consolehelper+root privileges for
> > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> > apps in Fedora are already using it and I haven't found any. Honestly
> > I'm not sure about right way to use them. The idea is to add something
> > like following to %post
> >
> > # groupadd -g wireshark
> > # chgrp wireshark /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> This is useful to avoid having setuid binary, but how will regular
> users get access to the wireshark group? Maybe through policykit?
The originally quoted URL also says:
# groupadd -g wireshark
# usermod -a -G wireshark gerald
-serge
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-07-2010, 02:00 PM
Colin Walters
Using capabilities for libpcap apps
2010/4/6 Radek Vokál <radekvokal@gmail.com>:
> Hi all,
>
> *I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark.
Using PolicyKit instead of hardcoding a Unix group gives a lot more
flexibility to system administrators. For example, in Fedora we
could interactively prompt for the root password by default. Or we
could default to allowing "console users" auth. Or require the user's
password. Or in fact, allow it for a given Unix group.
Basically, you already have the privileged component/user session
separation, which is great, so the dumpcap program just needs to be
runnable as a DBus service, it could expose say an API to get a file
descriptor which gives a dump stream for a given interface.
Documentation lives at: http://hal.freedesktop.org/docs/PolicyKit/
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-08-2010, 08:49 PM
Steve Grubb
Using capabilities for libpcap apps
On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote:
> I need few suggestions about this ..
> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> Combs, the upstream maintainer of wireshark, suggests to use
> capabilities instead of consolehelper+root privileges for
> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> apps in Fedora are already using it and I haven't found any. Honestly
> I'm not sure about right way to use them. The idea is to add something
> like following to %post
>
> # groupadd -g wireshark
> # chgrp wireshark /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>
> Suggestions? Ideas? Spec file patches?
rpm supposedly has native support for capabilities. That would mean that you
don't need to call setcap.
-Steve
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-09-2010, 07:30 AM
Radek Vokál
Using capabilities for libpcap apps
On 04/08/2010 10:49 PM, Steve Grubb wrote:
> On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote:
>> I need few suggestions about this ..
>> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
>> Combs, the upstream maintainer of wireshark, suggests to use
>> capabilities instead of consolehelper+root privileges for
>> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
>> apps in Fedora are already using it and I haven't found any. Honestly
>> I'm not sure about right way to use them. The idea is to add something
>> like following to %post
>>
>> # groupadd -g wireshark
>> # chgrp wireshark /usr/bin/dumpcap
>> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
>> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
>>
>> Suggestions? Ideas? Spec file patches?
>
> rpm supposedly has native support for capabilities. That would mean that you
> don't need to call setcap.
>
> -Steve
>
Are there any docs for that? I haven't found any so far.
Radek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
04-09-2010, 01:13 PM
"Serge E. Hallyn"
Using capabilities for libpcap apps
Quoting Radek Vokál (radekvokal@gmail.com):
> On 04/08/2010 10:49 PM, Steve Grubb wrote:
> > On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote:
> >> I need few suggestions about this ..
> >> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald
> >> Combs, the upstream maintainer of wireshark, suggests to use
> >> capabilities instead of consolehelper+root privileges for
> >> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other
> >> apps in Fedora are already using it and I haven't found any. Honestly
> >> I'm not sure about right way to use them. The idea is to add something
> >> like following to %post
> >>
> >> # groupadd -g wireshark
> >> # chgrp wireshark /usr/bin/dumpcap
> >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
> >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
> >>
> >> Suggestions? Ideas? Spec file patches?
> >
> > rpm supposedly has native support for capabilities. That would mean that you
> > don't need to call setcap.
> >
> > -Steve
> >
>
> Are there any docs for that? I haven't found any so far.
Using capabilities for libpcap apps
