Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos: add programs.wireshark option #22882

Merged
merged 3 commits into from Feb 20, 2017
Merged

nixos: add programs.wireshark option #22882

merged 3 commits into from Feb 20, 2017

Conversation

bjornfor
Copy link
Contributor

Motivation for this change

To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@mention-bot
Copy link

@bjornfor, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @joachifm and @offlinehacker to be potential reviewers.

@rycee
Copy link
Member

rycee commented Feb 16, 2017

Wonderful! This is exactly what I set up manually. Would much rather just do programs.wireshark.enable = true; 👍

@globin
Copy link
Member

globin commented Feb 17, 2017

I've changed this to use the setcap wrapper but this removes the possibility to add users to a group to allow this, what do you think?

@bjornfor
Copy link
Contributor Author

@globin: What are the effects of that change? Less damage if dumpcap gets compromised, at the expense of allowing everyone on the system to monitor the packets? Would it be possible to use capabilities and give access only to the 'wireshark' group? (I really like the 'wireshark' group feature.)

globin and others added 3 commits February 17, 2017 15:42
@globin
setcapWrapper: add support for setting permissions
070825d
@bjornfor @globin
nixos: add programs.wireshark option
8f3e6fd 
To be able to use Wireshark as an ordinary user, the 'dumpcap' program
must be installed setuid root. This module module simplifies such a
configuration to simply:

  programs.wireshark.enable = true;

The setuid wrapper is available for users in the 'wireshark' group.

Changes v1 -> v2:
  - add "defaultText" to the programs.wireshark.package option (AFAIK,
    that prevents the manual from being needlessly rebuilt when the
    package changes)
@globin
programs.wireshark: use setcap wrapper
7ec5faa
@globin
Copy link
Member

globin commented Feb 17, 2017

Added support for setting permissions on setcap wrappers and set the permissions accordingly on wireshark. We don't need a static uid/gid as there is no data associated to them.

Are you fine with this?

@abbradar
Copy link
Member

@globin Without statid gid this would break with users.mutableUsers = false; (if I remember correctly, that is).

@globin
Copy link
Member

globin commented Feb 20, 2017

I'm quite sure gids never change on a rebuild, so this should work? I thought the problem was moving data from one machine to another and then not having deterministic uids/gids for the service the data belongs to?

@abbradar
Copy link
Member

Funny, I remember that I needed to set fixed gids when I moved to mutableUsers = false but I don't see any such restriction now in the code. If it works then 👍!

@rycee
Copy link
Member

rycee commented Feb 20, 2017
edited

For what it's worth, I've been successfully using just users.extraGroups.wireshark = {}; without any explicit group ID for quite some time on my system, also inside nixos-container instances.

But it should be mentioned that I don't use mutableUsers = false.

@globin
Copy link
Member

globin commented Feb 20, 2017

We can always still add it if something breaks, in the worst case one cannot execute wireshark without being root which is what we have right now :)

@globin globin merged commit 12b4556 into NixOS:master Feb 20, 2017
@bjornfor bjornfor deleted the wireshark branch February 20, 2017 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
0.kind: enhancement 6.topic: nixos 8.has: module (new)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bjornfor @mention-bot @rycee @globin @abbradar