programs.wireshark: use setcap wrapper · pyrox.dev/nixpkgs@7ec5faa

pyrox.dev / nixpkgs

fork atom

lol

fork atom

programs.wireshark: use setcap wrapper

Robin Gloster 9 years ago 7ec5faa8 8f3e6fdd

+5 -22

2 changed files

expand all

unified split

nixos

modules

misc

ids.nix

programs

wireshark.nix

-2

nixos/modules/misc/ids.nix

··· 288 kresd = 270; 289 rpc = 271; 290 geoip = 272; 291 - #wireshark = 273; # unused 292 293 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 294 ··· 546 kresd = 270; 547 #rpc = 271; # unused 548 #geoip = 272; # unused 549 - wireshark = 273; 550 551 # When adding a gid, make sure it doesn't match an existing 552 # uid. Users and groups with the same name should have equal

··· 288 kresd = 270; 289 rpc = 271; 290 geoip = 272; 291 292 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 293 ··· 545 kresd = 270; 546 #rpc = 271; # unused 547 #geoip = 272; # unused 548 549 # When adding a gid, make sure it doesn't match an existing 550 # uid. Users and groups with the same name should have equal

+5 -20

nixos/modules/programs/wireshark.nix

··· 3 with lib; 4 5 let 6 - 7 cfg = config.programs.wireshark; 8 wireshark = cfg.package; 9 - 10 - in 11 - 12 - { 13 - 14 options = { 15 - 16 programs.wireshark = { 17 - 18 enable = mkOption { 19 type = types.bool; 20 default = false; 21 description = '' 22 Whether to add Wireshark to the global environment and configure a 23 - setuid wrapper for 'dumpcap' for users in the 'wireshark' group. 24 ''; 25 }; 26 - 27 package = mkOption { 28 type = types.package; 29 default = pkgs.wireshark-cli; ··· 32 Which Wireshark package to install in the global environment. 33 ''; 34 }; 35 - 36 }; 37 - 38 }; 39 40 config = mkIf cfg.enable { 41 - 42 environment.systemPackages = [ wireshark ]; 43 - 44 security.wrappers.dumpcap = { 45 source = "${wireshark}/bin/dumpcap"; 46 owner = "root"; 47 group = "wireshark"; 48 - setuid = true; 49 - setgid = false; 50 permissions = "u+rx,g+x"; 51 }; 52 - 53 - users.extraGroups.wireshark.gid = config.ids.gids.wireshark; 54 - 55 }; 56 - 57 }

··· 3 with lib; 4 5 let 6 cfg = config.programs.wireshark; 7 wireshark = cfg.package; 8 + in { 9 options = { 10 programs.wireshark = { 11 enable = mkOption { 12 type = types.bool; 13 default = false; 14 description = '' 15 Whether to add Wireshark to the global environment and configure a 16 + setcap wrapper for 'dumpcap' for users in the 'wireshark' group. 17 ''; 18 }; 19 package = mkOption { 20 type = types.package; 21 default = pkgs.wireshark-cli; ··· 24 Which Wireshark package to install in the global environment. 25 ''; 26 }; 27 }; 28 }; 29 30 config = mkIf cfg.enable { 31 environment.systemPackages = [ wireshark ]; 32 + users.extraGroups.wireshark = {}; 33 + 34 security.wrappers.dumpcap = { 35 source = "${wireshark}/bin/dumpcap"; 36 + capabilities = "cap_net_raw+p"; 37 owner = "root"; 38 group = "wireshark"; 39 permissions = "u+rx,g+x"; 40 }; 41 }; 42 }