pyrox.dev
lol
programs.wireshark: use setcap wrapper
-2
nixos/modules/misc/ids.nix
-2
nixos/modules/misc/ids.nix
···
288
288
kresd = 270;
289
289
rpc = 271;
290
290
geoip = 272;
291
-
#wireshark = 273; # unused
292
291
293
292
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
294
293
···
546
545
kresd = 270;
547
546
#rpc = 271; # unused
548
547
#geoip = 272; # unused
549
-
wireshark = 273;
550
548
551
549
# When adding a gid, make sure it doesn't match an existing
552
550
# uid. Users and groups with the same name should have equal
+5
-20
nixos/modules/programs/wireshark.nix
+5
-20
nixos/modules/programs/wireshark.nix
···
3
3
with lib;
4
4
5
5
let
6
-
7
6
cfg = config.programs.wireshark;
8
7
wireshark = cfg.package;
9
-
10
-
in
11
-
12
-
{
13
-
8
+
in {
14
9
options = {
15
-
16
10
programs.wireshark = {
17
-
18
11
enable = mkOption {
19
12
type = types.bool;
20
13
default = false;
21
14
description = ''
22
15
Whether to add Wireshark to the global environment and configure a
23
-
setuid wrapper for 'dumpcap' for users in the 'wireshark' group.
16
+
setcap wrapper for 'dumpcap' for users in the 'wireshark' group.
24
17
'';
25
18
};
26
-
27
19
package = mkOption {
28
20
type = types.package;
29
21
default = pkgs.wireshark-cli;
···
32
24
Which Wireshark package to install in the global environment.
33
25
'';
34
26
};
35
-
36
27
};
37
-
38
28
};
39
29
40
30
config = mkIf cfg.enable {
41
-
42
31
environment.systemPackages = [ wireshark ];
43
-
32
+
users.extraGroups.wireshark = {};
33
+
44
34
security.wrappers.dumpcap = {
45
35
source = "${wireshark}/bin/dumpcap";
36
+
capabilities = "cap_net_raw+p";
46
37
owner = "root";
47
38
group = "wireshark";
48
-
setuid = true;
49
-
setgid = false;
50
39
permissions = "u+rx,g+x";
51
40
};
52
-
53
-
users.extraGroups.wireshark.gid = config.ids.gids.wireshark;
54
-
55
41
};
56
-
57
42
}