Jani Välimaa wrote: > On Mon, 17 Dec 2012 09:57:13 +0000 > Colin Guthrie <[email protected]> wrote: > >> 'Twas brillig, and Olivier Blin at 17/12/12 09:55 did gyre and gimble: >> > wally <[email protected]> writes: >> > >> >> Name : wireshark Relocations: (not >> >> relocatable) Version : 1.8.4 >> >> Vendor: Mageia.Org Release : 2.mga3 >> >> Build Date: Sat Dec 1 17:48:14 2012 Install Date: (not >> >> installed) Build Host: jonund.mageia.org >> >> Group : Monitoring Source RPM: (none) >> >> Size : 24192404 License: GPLv2+ and >> >> GPLv3 Signature : (none) Packager : wally <wally> >> >> URL : http://www.wireshark.org >> >> Summary : Network traffic analyzer >> >> Description : >> >> Wireshark is a network traffic analyzer for Unix-ish operating >> >> systems. It is based on GTK+, a graphical user interface library, >> >> and libpcap, a packet capture and filtering library. >> >> >> >> wally <wally> 1.8.4-2.mga3: >> >> + Revision: 324195 >> >> - install dumpcap setuid root as upstream suggests (to allow to >> >> start wireshark as normal user) >> >> - drop run-as-root hacks >> > >> > Hi, >> > >> > It seems you introduced a security flaw: now all users are able to >> > capture the network traffic. >> > >> > This should be reverted, or restrictions should be added (maybe by >> > making consolekit add acls if possible). >> >> Perhaps only make it only work for users in the wheel group? >> > > Ah, yes. Didn't think that much. :\ > > As Colin suggested we could "chgrp wheel /usr/bin/dumpcap && chmod > 4750 /usr/bin/dumpcap". Or we could create wireshark group for it and > do the same.
I see you did the wireshark group (better choice than wheel for sure). Personally I prefer Olivier's consolekit suggestion, to allow the user logged into the physical console to use it. Much less of a management headache in most cases. The restricting it to a group should be something an administrator can enforce with msec if they want it (and it could even be added to the default restrictions for the secure level).
