[91258] trunk/dports/net/wireshark/Portfile
Clemens Lang
cal at macports.org
Tue Mar 27 16:06:57 PDT 2012
Hi,
On Tue, Mar 27, 2012 at 01:10:12PM -0700, ricci at macports.org wrote:
> wireshark: remove potentially dangerous "notes"
>
> -notes "To allow non-root users capturing packages, make sure your $prefix/bin/dumpcap is owned by root\
> - and give it the setuid-mode-bit: chmod +s $prefix/bin/dumpcap. Warning: Every user that is able\
> - to execute this program will be able to capture any traffic into, out of and bypassing your\
> - machine. Consider creating a group and only allowing users in this group to execute this binary."
(1) I have added the very same note to the wireshark-devel port. If it's
removed in wireshark it should also be removed in wireshark-devel.
(2) Could you elaborate on why you consider a note (with an explicit
warning) explaining what some distributions (e.g. Debian, Ubuntu, Arch
Linux) provide semi-automatized dangerous? Also note the wireshark
project actually lists this method [1] as one of the possibilities to
allow running the wireshark GUI with the ability to capture packages
[2].
IMHO, if this note prevents any uninformed user from running wireshark
as root it has done more good than evil and also provides a better user
experience for people installing the wireshark port.
[1] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
[2] I'm aware they list a different suggestion for OS X, but I consider
setuid on dumpcap the less intrusive method compared to changing
permissions in /dev.
--
Clemens Lang
More information about the macports-dev
mailing list