tcpdump mailing list archives
Re: Capturing without having superuser rights
From: Damien ANCELIN <damien.ancelin () ens-lyon fr>
Date: Wed, 15 Oct 2008 17:49:05 +0200
I doesn't know POSIX capabilities and it seems to be very interesting. I think it's a good first step, but I see a potential problem : if I give CAP_NET_ADMIN capability to a user, he can do what he wants on all ethernet interfaces, isn't it ? In my case, I have for example 1 interface used for capturing, and an other one for accessing the machine. It would be annoying if a user can modify settings of that access interface (changing its IP address, or putting it down). Do you know a way to give CAP_NET_ADMIN for a given interface, and not for the others ?
Damien Gerald Combs a écrit :
Under Linux you can use POSIX capabilities to capture as non-root. CAP_NET_RAW lets you capture, and CAP_NET_ADMIN lets you use promiscuous mode. Damien ANCELIN wrote:To give you more informations : - "metrology platform" will be a computer that can be used by many users to capture packets (coming from a mirroring port of a switch). - It's currently running on an linux debian. It seems there is no common manner to do this in a simple way (I will have a look on that kernel patch). Thanks for your help Damien sthaug () nethelp no a écrit :As I'm developping on libpcap to provide a metrology plateform, I was wondering if there is a manner to enable a specific user (or a specific group) to capture from a network interfaces (even in promiscuous mode), without using sudo. I'm trying to do this with udev, but I'm not shure it can works. Does anybody have an idea ?Depends on the platform you are on. On FreeBSD all you need is read write permission to the /dev/bpf* devices.And for *capturing* you really only need read permission. Steinar Haug, Nethelp consulting, sthaug () nethelp no - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
-- Damien ANCELIN INRIA engineer - RESO research team Tel : +33 4 72 72 87 95 LIP, ENS-LYON Bureau 352 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Capturing without having superuser rights Damien ANCELIN (Oct 14)
- Re: Capturing without having superuser rights Max Laier (Oct 14)
- Re: Capturing without having superuser rights Robin Sommer (Oct 14)
- Re: Capturing without having superuser rights sthaug (Oct 14)
- Re: Capturing without having superuser rights Damien ANCELIN (Oct 15)
- Re: Capturing without having superuser rights Gerald Combs (Oct 15)
- Re: Capturing without having superuser rights Damien ANCELIN (Oct 15)
- Re: Capturing without having superuser rights Max Laier (Oct 14)
- Re: Capturing without having superuser rights Guy Harris (Oct 15)
- Re: Capturing without having superuser rights Jesse Kempf (Oct 15)