Hi, I'm experimenting with Suricata, but don't want to let suricata listen on network interface, as it has to run as root. Suricata has a user/group options, but they require libcap-ng. Looking around, what we have, I came across dumpcap.
So, put the _suricata user into the _wireshark group, and: rcctl enable dumpcap rcctl set dumpcap flags ..... rcctl set dumpcap user _suricata dumpcap then happily runs as _suricata, and Suricata picks up and runs happily as _suricata user as well. that let's me feel much more comfortable. If someone has better ideas, I'm all ears. Therefore I added an rcscript to tshark package for dumpcap. Any concerns, comments, or even OK? cheers, Sebastian Index: Makefile =================================================================== RCS file: /cvs/ports/net/wireshark/Makefile,v retrieving revision 1.91 diff -u -r1.91 Makefile --- Makefile 23 May 2019 13:17:13 -0000 1.91 +++ Makefile 4 Jun 2019 08:05:39 -0000 @@ -10,6 +10,7 @@ DISTNAME = wireshark-$V PKGNAME-main = wireshark-$V PKGNAME-text = tshark-$V +REVISION-text = 0 SHARED_LIBS += wscodecs 1.0 SHARED_LIBS += wsutil 4.0 Index: pkg/PLIST-text =================================================================== RCS file: /cvs/ports/net/wireshark/pkg/PLIST-text,v retrieving revision 1.10 diff -u -r1.10 PLIST-text --- pkg/PLIST-text 1 Mar 2019 18:06:46 -0000 1.10 +++ pkg/PLIST-text 4 Jun 2019 08:05:39 -0000 @@ -1,5 +1,6 @@ @comment $OpenBSD: PLIST-text,v 1.10 2019/03/01 18:06:46 sthen Exp $ @newgroup _wireshark:735 +@rcscript ${RCDIR}/dumpcap @bin bin/capinfos @bin bin/captype @mode 4550 Index: pkg/dumpcap.rc =================================================================== RCS file: pkg/dumpcap.rc diff -N pkg/dumpcap.rc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pkg/dumpcap.rc 4 Jun 2019 08:05:39 -0000 @@ -0,0 +1,10 @@ +#!/bin/ksh +# +# $OpenBSD$ + +daemon="/usr/local/bin/dumpcap" +rc_bg=YES + +. /etc/rc.d/rc.subr + +rc_cmd $1
wireshark-dumpcap-rcscript
Description: Binary data