diff options
| author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2014-04-13 17:06:00 +0200 |
|---|---|---|
| committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2014-04-22 21:33:11 +0200 |
| commit | a70197a6536be79c2e9318332d9435e668954837 (patch) | |
| tree | 70dcf0fc5085b2fd96ae69673d9236be8c446a9d /pkgs/development/python-modules/GitPython/hardcode-git-path.patch | |
| parent | cbd4650a1ad143bca4b10bd49e93a39a2e1eee85 (diff) | |
wireshark: add patch to lookup "dumpcap" in PATH
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
Diffstat (limited to 'pkgs/development/python-modules/GitPython/hardcode-git-path.patch')
0 files changed, 0 insertions, 0 deletions