Re: Privileges on Mac

[Guy Harris <guy () alum mit edu>]

On Apr 1, 2009, at 1:42 AM, Tobias Weber wrote:

> On 01.04.2009, at 00:47, Guy Harris wrote:
>
> > A set-UID program that does what privileged stuff it needs to do  
> > (opening a pcap_t,
>
> (what I've seen is using libpcap in the helper tool only and remote  
> controlling that from the GUI)

Exactly - like dumpcap.

> A pcap_t is too complex to pass from privileged to unpriviledged  
> code. It's easy with a file descriptor, so it would be nice if  
> libpcap could use one to make a pcap_t.

That's insufficient to provide the full capabilities of libpcap to non- 
privileged users on all platforms.  On Linux, for example, you also  
need privileges to enumerate network adapters.  The program would need  
to perform other operations - possibly including cleaning up monitor  
mode when closing the device.

> > Wireshark already does that, for separation-of-privileges reasons  
> > and for other reasons.
>
> (it still requires changing permissions on the device for OS X)

At least with a reasonably recent top-of-SVN-tree build, making  
dumpcap set-UID root appeared to work, even with BPF devices to which  
I don't have access.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.