On Thu, Mar 01, 2012 at 09:28:47PM +0100, Carlos E. R. wrote:
On 2012-03-01 16:18, Roger Oberholtzer wrote:
On Thu, 2012-03-01 at 15:34 +0100, Carlos E. R. wrote:
You can probably suid the binary.
Yikes. To get perhaps one root capability, you give the application the world. Quite generous. As they say, with great power comes great responsibility. I just don't trust the general non-buggy-ness of things. Fine grained permissions seem a bit more secure.
There is no other way of running it, and this is the kernel fault.
Perhaps it could be made a two part program: a small one running as root and doing the capturing part, and another doing the gui and processing. But this doesn't exist.
And on wireshark now and then there have been found security holes.
Read up on filesystem capabilities here. ... Basically attributes added within the filesystem that only give some of the capabilities. But wireshark as a X client really shouldn't be setuid root. If you need it, "su", "sudo" or "ssh -X root@localhost" to run it. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org