Re: Using capabilities for libpcap apps
Quoting Radek Vokál (radekvo...@gmail.com): > On 04/08/2010 10:49 PM, Steve Grubb wrote: > > On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote: > >>I need few suggestions about this .. > >> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > >> Combs, the upstream maintainer of wireshark, suggests to use > >> capabilities instead of consolehelper+root privileges for > >> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > >> apps in Fedora are already using it and I haven't found any. Honestly > >> I'm not sure about right way to use them. The idea is to add something > >> like following to %post > >> > >> # groupadd -g wireshark > >> # chgrp wireshark /usr/bin/dumpcap > >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark > >> > >> Suggestions? Ideas? Spec file patches? > > > > rpm supposedly has native support for capabilities. That would mean that you > > don't need to call setcap. > > > > -Steve > > > > Are there any docs for that? I haven't found any so far. Thread starting here: http://www.mail-archive.com/rpm-ma...@lists.rpm.org/msg01015.html -serge -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
On 04/08/2010 10:49 PM, Steve Grubb wrote: > On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote: >>I need few suggestions about this .. >> https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald >> Combs, the upstream maintainer of wireshark, suggests to use >> capabilities instead of consolehelper+root privileges for >> dumpcap/wireshark. It makes whole lot of sense, so I've looked if other >> apps in Fedora are already using it and I haven't found any. Honestly >> I'm not sure about right way to use them. The idea is to add something >> like following to %post >> >> # groupadd -g wireshark >> # chgrp wireshark /usr/bin/dumpcap >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap >> # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark >> >> Suggestions? Ideas? Spec file patches? > > rpm supposedly has native support for capabilities. That would mean that you > don't need to call setcap. > > -Steve > Are there any docs for that? I haven't found any so far. Radek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
On Tuesday 06 April 2010 04:47:22 pm Radek Vokál wrote: > I need few suggestions about this .. > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > Combs, the upstream maintainer of wireshark, suggests to use > capabilities instead of consolehelper+root privileges for > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > apps in Fedora are already using it and I haven't found any. Honestly > I'm not sure about right way to use them. The idea is to add something > like following to %post > > # groupadd -g wireshark > # chgrp wireshark /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark > > Suggestions? Ideas? Spec file patches? rpm supposedly has native support for capabilities. That would mean that you don't need to call setcap. -Steve -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
2010/4/6 Radek Vokál : > Hi all, > > I need few suggestions about this .. > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > Combs, the upstream maintainer of wireshark, suggests to use > capabilities instead of consolehelper+root privileges for > dumpcap/wireshark. Using PolicyKit instead of hardcoding a Unix group gives a lot more flexibility to system administrators. For example, in Fedora we could interactively prompt for the root password by default. Or we could default to allowing "console users" auth. Or require the user's password. Or in fact, allow it for a given Unix group. Basically, you already have the privileged component/user session separation, which is great, so the dumpcap program just needs to be runnable as a DBus service, it could expose say an API to get a file descriptor which gives a dump stream for a given interface. Documentation lives at: http://hal.freedesktop.org/docs/PolicyKit/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
Quoting Miroslav Lichvar (mlich...@redhat.com): > On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote: > > Hi all, > > > > I need few suggestions about this .. > > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > > Combs, the upstream maintainer of wireshark, suggests to use > > capabilities instead of consolehelper+root privileges for > > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > > apps in Fedora are already using it and I haven't found any. Honestly > > I'm not sure about right way to use them. The idea is to add something > > like following to %post > > > > # groupadd -g wireshark > > # chgrp wireshark /usr/bin/dumpcap > > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark > > This is useful to avoid having setuid binary, but how will regular > users get access to the wireshark group? Maybe through policykit? The originally quoted URL also says: # groupadd -g wireshark # usermod -a -G wireshark gerald -serge -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote: > Hi all, > > I need few suggestions about this .. > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > Combs, the upstream maintainer of wireshark, suggests to use > capabilities instead of consolehelper+root privileges for > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > apps in Fedora are already using it and I haven't found any. Honestly > I'm not sure about right way to use them. The idea is to add something > like following to %post > > # groupadd -g wireshark > # chgrp wireshark /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark This is useful to avoid having setuid binary, but how will regular users get access to the wireshark group? Maybe through policykit? -- Miroslav Lichvar -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Huzaifa Sidhpurwala wrote: Ah Sorry, scratch the last line please, an oversight :) > I would suggest using libpcap-ng rather than libpcap if it works. - -- Regards, Huzaifa Sidhpurwala, RHCE, CCNA (IRC: huzaifas) GnuPG Fingerprint: 3A0F DAFB 9279 02ED 273B FFE9 CC70 DCF2 DA5B DAE5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org/ iD8DBQFLvCeAzHDc8tpb2uURAlpdAJ9+BCrK1bdIlxhVvClowrxcpgnM6ACeJ+m9 z3Nec3oCE70JFCf5EqnpbF0= =ZK2e -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I was speaking about this with Rahul Sundaram and he pointed me to: http://fedoraproject.org/wiki/Features/LowerProcessCapabilities I would suggest using libpcap-ng rather than libpcap if it works. Radek Vokál wrote: > Hi all, > > I need few suggestions about this .. > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > Combs, the upstream maintainer of wireshark, suggests to use > capabilities instead of consolehelper+root privileges for > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > apps in Fedora are already using it and I haven't found any. Honestly > I'm not sure about right way to use them. The idea is to add something > like following to %post > > # groupadd -g wireshark > # chgrp wireshark /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark > > Suggestions? Ideas? Spec file patches? > > Any help is welcome. > > Radek - -- Regards, Huzaifa Sidhpurwala, RHCE, CCNA (IRC: huzaifas) GnuPG Fingerprint: 3A0F DAFB 9279 02ED 273B FFE9 CC70 DCF2 DA5B DAE5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org/ iD8DBQFLvCbzzHDc8tpb2uURAhmUAJ9m3DzIXyuF5Q87RsRTwWN94KZiYQCfQuAn gPmMlJxwAKWCGyQJoCBbpSw= =Wkq8 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Using capabilities for libpcap apps
Radek Vokál píše v Út 06. 04. 2010 v 22:47 +0200: > Hi all, > > I need few suggestions about this .. > https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald > Combs, the upstream maintainer of wireshark, suggests to use > capabilities instead of consolehelper+root privileges for > dumpcap/wireshark. It makes whole lot of sense, so I've looked if other > apps in Fedora are already using it and I haven't found any. Honestly > I'm not sure about right way to use them. The idea is to add something > like following to %post > > # groupadd -g wireshark > # chgrp wireshark /usr/bin/dumpcap for creating the group you should use the standard scriptlet from https://fedoraproject.org/wiki/Packaging/UsersAndGroups and set the group via %attr in %files > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap > # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark I would add this commands to %post too Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Using capabilities for libpcap apps
Hi all, I need few suggestions about this .. https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald Combs, the upstream maintainer of wireshark, suggests to use capabilities instead of consolehelper+root privileges for dumpcap/wireshark. It makes whole lot of sense, so I've looked if other apps in Fedora are already using it and I haven't found any. Honestly I'm not sure about right way to use them. The idea is to add something like following to %post # groupadd -g wireshark # chgrp wireshark /usr/bin/dumpcap # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark Suggestions? Ideas? Spec file patches? Any help is welcome. Radek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
