tcpdump mailing list archives

Re: Capturing without having superuser rights

From: Damien ANCELIN <damien.ancelin () ens-lyon fr>
Date: Wed, 15 Oct 2008 17:49:05 +0200

I doesn't know POSIX capabilities and it seems to be very interesting. Ithink it's a good first step, but I see a potential problem : if I giveCAP_NET_ADMIN capability to a user, he can do what he wants on allethernet interfaces, isn't it ? In my case, I have for example 1interface used for capturing, and an other one for accessing themachine. It would be annoying if a user can modify settings of thataccess interface (changing its IP address, or putting it down).Do you know a way to give CAP_NET_ADMIN for a given interface, and notfor the others ?


Damien

Gerald Combs a écrit :

Under Linux you can use POSIX capabilities to capture as non-root.
CAP_NET_RAW lets you capture, and CAP_NET_ADMIN lets you use promiscuous
mode.

Damien ANCELIN wrote:

To give you more informations :
- "metrology platform" will be a computer that can be used by many users
to capture packets (coming from a mirroring port of a switch).
- It's currently running on an linux debian.

It seems there is no common manner to do this in a simple way (I will
have a look on that kernel patch).

Thanks for your help
Damien

sthaug () nethelp no a écrit :

As I'm developping on libpcap to provide a metrology plateform, I was
wondering if there is a manner to enable a specific user (or a specific
group) to capture from a network interfaces (even in promiscuous mode),
without using sudo.
I'm trying to do this with udev, but I'm not shure it can works.

Does anybody have an idea ?

Depends on the platform you are on.  On FreeBSD all you need is read
write permission to the /dev/bpf* devices.

And for *capturing* you really only need read permission.

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


--
Damien ANCELIN
INRIA engineer - RESO research team
Tel : +33 4 72 72 87 95
LIP, ENS-LYON
Bureau 352

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Capturing without having superuser rights Damien ANCELIN (Oct 14)
- Re: Capturing without having superuser rights Max Laier (Oct 14)
  - Re: Capturing without having superuser rights Robin Sommer (Oct 14)
  - Re: Capturing without having superuser rights sthaug (Oct 14)
    - Re: Capturing without having superuser rights Damien ANCELIN (Oct 15)
    - Re: Capturing without having superuser rights Gerald Combs (Oct 15)
    - Re: Capturing without having superuser rights Damien ANCELIN (Oct 15)
  - Re: Capturing without having superuser rights Guy Harris (Oct 15)
    - Re: Capturing without having superuser rights Jesse Kempf (Oct 15)
- Re: Capturing without having superuser rights Michael Richardson (Oct 14)