a70197a653
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS and have wireshark use that instead of the non-setuid dumpcap binary that it normally uses. As far as I can tell, the code that is changed to do lookup in PATH is only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's typically setuid, is not affected by this patch. wireshark and tshark should *not* be installed setuid, so the fact that they now do lookup in PATH is not a security concern. With this commit, and the following config, only "root" and users in the "wireshark" group will have access to capturing network traffic with wireshark/dumpcap: environment.systemPackages = [ pkgs.wireshark ]; security.setuidOwners = [ { program = "dumpcap"; owner = "root"; group = "wireshark"; setuid = true; setgid = false; permissions = "u+rx,g+x"; } ]; users.extraGroups.wireshark.gid = 500; (This wouldn't have worked before, because then wireshark would not use our setuid dumpcap binary.)
63 lines
1.8 KiB
Nix
63 lines
1.8 KiB
Nix
{ stdenv, fetchurl, pkgconfig, perl, flex, bison, libpcap, libnl, c-ares
|
|
, gnutls, libgcrypt, geoip, heimdal, lua5, gtk, makeDesktopItem, python
|
|
, libcap
|
|
}:
|
|
|
|
let version = "1.11.2"; in
|
|
|
|
stdenv.mkDerivation {
|
|
name = "wireshark-${version}";
|
|
|
|
src = fetchurl {
|
|
url = "mirror://sourceforge/wireshark/wireshark-${version}.tar.bz2";
|
|
sha256 = "077hjnmqn44s8dx3pc38bxps5liicjnhzrnf6ky2x60m2cp7ngr3";
|
|
};
|
|
|
|
buildInputs = [
|
|
bison flex perl pkgconfig libpcap lua5 heimdal libgcrypt gnutls
|
|
geoip libnl c-ares gtk python libcap
|
|
];
|
|
|
|
patches = [ ./wireshark-lookup-dumpcap-in-path.patch ];
|
|
|
|
preConfigure = ''
|
|
sed -re 's/g_memmove/memmove/' -i $(grep -rl g_memmove .)
|
|
'';
|
|
|
|
configureFlags = "--disable-usr-local --disable-silent-rules --with-gtk2 --without-gtk3 --without-qt --with-ssl";
|
|
|
|
desktopItem = makeDesktopItem {
|
|
name = "Wireshark";
|
|
exec = "wireshark";
|
|
icon = "wireshark";
|
|
comment = "Powerful network protocol analysis suite";
|
|
desktopName = "Wireshark";
|
|
genericName = "Network packet analyzer";
|
|
categories = "Network;System";
|
|
};
|
|
|
|
postInstall = ''
|
|
mkdir -p "$out"/share/applications/
|
|
mkdir -p "$out"/share/icons/
|
|
cp "$desktopItem/share/applications/"* "$out/share/applications/"
|
|
cp image/wsicon.svg "$out"/share/icons/wireshark.svg
|
|
'';
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
meta = {
|
|
homepage = http://www.wireshark.org/;
|
|
description = "a powerful network protocol analyzer";
|
|
license = stdenv.lib.licenses.gpl2;
|
|
|
|
longDescription = ''
|
|
Wireshark (formerly known as "Ethereal") is a powerful network
|
|
protocol analyzer developed by an international team of networking
|
|
experts. It runs on UNIX, OS X and Windows.
|
|
'';
|
|
|
|
platforms = stdenv.lib.platforms.linux;
|
|
maintainers = with stdenv.lib.maintainers; [ simons bjornfor ];
|
|
};
|
|
}
|