mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 16:33:15 +00:00
a70197a653
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
|
||
|---|---|---|
| .. | ||
| bittorrentsync | ||
| browsers | ||
| cluster | ||
| davmail | ||
| dropbox | ||
| dropbox-cli | ||
| esniper | ||
| feedreaders/newsbeuter | ||
| ftp/filezilla | ||
| ids | ||
| instant-messengers | ||
| iptraf | ||
| irc | ||
| jmeter | ||
| mailreaders | ||
| msmtp | ||
| mumble | ||
| netperf | ||
| newsreaders | ||
| notbit | ||
| offrss | ||
| p2p | ||
| pjsip | ||
| remote | ||
| seafile-client | ||
| siproxd | ||
| sniffers | ||
| sync | ||
| syncthing | ||
| umurmur | ||
| vnstat | ||
| yafc | ||
| znc | ||