a70197a653
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS and have wireshark use that instead of the non-setuid dumpcap binary that it normally uses. As far as I can tell, the code that is changed to do lookup in PATH is only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's typically setuid, is not affected by this patch. wireshark and tshark should *not* be installed setuid, so the fact that they now do lookup in PATH is not a security concern. With this commit, and the following config, only "root" and users in the "wireshark" group will have access to capturing network traffic with wireshark/dumpcap: environment.systemPackages = [ pkgs.wireshark ]; security.setuidOwners = [ { program = "dumpcap"; owner = "root"; group = "wireshark"; setuid = true; setgid = false; permissions = "u+rx,g+x"; } ]; users.extraGroups.wireshark.gid = 500; (This wouldn't have worked before, because then wireshark would not use our setuid dumpcap binary.) |
||
---|---|---|
.. | ||
default.nix | ||
wireshark-lookup-dumpcap-in-path.patch |