Linux naturally restricts all but superuser from pulling traffic directly from network adapters. In the case of Wireshark/dumpcap, setuid root is used ONLY for dumpcap, restricting the privileges needed for Wireshark run by the user:
Wireshark has implemented Privilege Separation which means that the Wireshark GUI (or the tshark CLI) can run as a normal user while the dumpcap capture utility runs as root. This can be achieved by installing dumpcap setuid root. The advantage of this solution is that while dumpcap is run as root the vast majority of Wireshark's code is run as a normal user (where it can do much less damage).
In the case of node_pcap , a similar issue occurs: the node.js process needs superuser to listen to the adapter, but that's a poor choice.
What's a sensible way to give a node process just enough privilege to capture packets and nothing else outside of the account running it?
Aucun commentaire:
Enregistrer un commentaire