Re: Privileges on Mac

[Tobias Weber <mk0423 () towb de>]

On 01.04.2009, at 00:47, Guy Harris wrote:

> If you're talking about Authorization Services, they suggest using  
> set-UID programs

(that changed years ago, but no one uses the new way)

> A set-UID program that does what privileged stuff it needs to do  
> (opening a pcap_t,

(what I've seen is using libpcap in the helper tool only and remote  
controlling that from the GUI)

A pcap_t is too complex to pass from privileged to unpriviledged code.  
It's easy with a file descriptor, so it would be nice if libpcap could  
use one to make a pcap_t. Currently bpf_open(), and by extension  
pcap_open_live(), insists on calling open(2) directly.

> Wireshark already does that, for separation-of-privileges reasons  
> and for other reasons.

(it still requires changing permissions on the device for OS X)

PS list server silently stripped my attachement, so http://www.towb.de/tmp/auth.patch
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.