Re: Privileges on Mac

[Guy Harris <guy () alum mit edu>]

On Mar 31, 2009, at 2:42 PM, Tobias Weber wrote:

> libpcap comes with Mac OS, but to use it from GUI applications  
> without changing permissions in /dev is complicated.

Nothing unique about Mac OS X here - the situation on *BSD is the same  
(not surprisingly, as *BSD and Mac OS X both use BPF), and it's a bit  
uglier on Linux (as the "change permissions" option isn't available).

There's also nothing unique about GUI apps, either - you probably  
don't want to run tcpdump as root.

> The OS includes a helper tool which can ask the user for credentials  
> and return a file descriptor opened with root rights.

If you're talking about Authorization Services, they suggest using set- 
UID programs in at least some places in the documentation.

A set-UID program that does what privileged stuff it needs to do  
(opening a pcap_t, enumerating devices - that's privileged on Linux -  
etc.), and then gives up its privileges, which the GUI program uses to  
do the low-level work, is an alternative.  (Wireshark already does  
that, for separation-of-privileges reasons and for other reasons.)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.