On Tue, Nov 22, 2011 at 03:12:06PM +0100, Bálint Réczey wrote: > Have you seen any suspicious output while running 'sudo > dpkg-reconfigure wireshark-common' ? > > Could you please check the output of the following commands?: > > sudo dpkg-reconfigure wireshark-common > /usr/sbin/dpkg-statoverride --list /usr/bin/dumpcap > echo $? > sudo which setcap
I now know what went wrong. I was misguided by the name of the debconf template being install-setuid, which prompted me to an immediate "no", without knowing that the postinst will only use setuid as a last-resort method if capabilities are not available. Additionally, the distance between the db_get call and the usage of the RET variable in the postinst led me into a wrong way. I would like to suggest clarifying the wording of the debconf template or at least the README.Debian. Additionally, the possible security risk of using capabilities mentioned in the Debconf template should be explained in the README.Debian to avoid knee-jerk "no" answers by paranoid users like me. I guess that there are many users who would happily grant dumpcap the required capabilities but would not agree to have it suid root. Hiding both methods behind the same debconf question may be confusing. Text suggestion: The package scripts will use Linux capabilities for the dumpcap binary where available and resort to setting the suid bit on the dumpcap binary as a fall-back. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
