a70197a653
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS and have wireshark use that instead of the non-setuid dumpcap binary that it normally uses. As far as I can tell, the code that is changed to do lookup in PATH is only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's typically setuid, is not affected by this patch. wireshark and tshark should *not* be installed setuid, so the fact that they now do lookup in PATH is not a security concern. With this commit, and the following config, only "root" and users in the "wireshark" group will have access to capturing network traffic with wireshark/dumpcap: environment.systemPackages = [ pkgs.wireshark ]; security.setuidOwners = [ { program = "dumpcap"; owner = "root"; group = "wireshark"; setuid = true; setgid = false; permissions = "u+rx,g+x"; } ]; users.extraGroups.wireshark.gid = 500; (This wouldn't have worked before, because then wireshark would not use our setuid dumpcap binary.) |
||
---|---|---|
.. | ||
bittorrentsync | ||
browsers | ||
cluster | ||
davmail | ||
dropbox | ||
dropbox-cli | ||
esniper | ||
feedreaders/newsbeuter | ||
ftp/filezilla | ||
ids | ||
instant-messengers | ||
iptraf | ||
irc | ||
jmeter | ||
mailreaders | ||
msmtp | ||
mumble | ||
netperf | ||
newsreaders | ||
notbit | ||
offrss | ||
p2p | ||
pjsip | ||
remote | ||
seafile-client | ||
siproxd | ||
sniffers | ||
sync | ||
syncthing | ||
umurmur | ||
vnstat | ||
yafc | ||
znc |