New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos: add programs.wireshark option #22882
Conversation
@bjornfor, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @joachifm and @offlinehacker to be potential reviewers. |
Wonderful! This is exactly what I set up manually. Would much rather just do |
I've changed this to use the setcap wrapper but this removes the possibility to add users to a group to allow this, what do you think? |
@globin: What are the effects of that change? Less damage if dumpcap gets compromised, at the expense of allowing everyone on the system to monitor the packets? Would it be possible to use capabilities and give access only to the 'wireshark' group? (I really like the 'wireshark' group feature.) |
To be able to use Wireshark as an ordinary user, the 'dumpcap' program must be installed setuid root. This module module simplifies such a configuration to simply: programs.wireshark.enable = true; The setuid wrapper is available for users in the 'wireshark' group. Changes v1 -> v2: - add "defaultText" to the programs.wireshark.package option (AFAIK, that prevents the manual from being needlessly rebuilt when the package changes)
Added support for setting permissions on setcap wrappers and set the permissions accordingly on wireshark. We don't need a static uid/gid as there is no data associated to them. Are you fine with this? |
@globin Without statid gid this would break with |
I'm quite sure gids never change on a rebuild, so this should work? I thought the problem was moving data from one machine to another and then not having deterministic uids/gids for the service the data belongs to? |
Funny, I remember that I needed to set fixed |
For what it's worth, I've been successfully using just But it should be mentioned that I don't use |
We can always still add it if something breaks, in the worst case one cannot execute wireshark without being root which is what we have right now :) |
Motivation for this change
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:
The setuid wrapper is available for users in the 'wireshark' group.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)