nixpkgs/pkgs/applications/networking/sniffers/wireshark/default.nix
Bjørn Forsman a70197a653 wireshark: add patch to lookup "dumpcap" in PATH
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.

As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.

With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:

  environment.systemPackages = [ pkgs.wireshark ];
  security.setuidOwners = [
    { program = "dumpcap";
      owner = "root";
      group = "wireshark";
      setuid = true;
      setgid = false;
      permissions = "u+rx,g+x";
    }
  ];
  users.extraGroups.wireshark.gid = 500;

(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
2014-04-22 21:33:11 +02:00

63 lines
1.8 KiB
Nix

{ stdenv, fetchurl, pkgconfig, perl, flex, bison, libpcap, libnl, c-ares
, gnutls, libgcrypt, geoip, heimdal, lua5, gtk, makeDesktopItem, python
, libcap
}:
let version = "1.11.2"; in
stdenv.mkDerivation {
name = "wireshark-${version}";
src = fetchurl {
url = "mirror://sourceforge/wireshark/wireshark-${version}.tar.bz2";
sha256 = "077hjnmqn44s8dx3pc38bxps5liicjnhzrnf6ky2x60m2cp7ngr3";
};
buildInputs = [
bison flex perl pkgconfig libpcap lua5 heimdal libgcrypt gnutls
geoip libnl c-ares gtk python libcap
];
patches = [ ./wireshark-lookup-dumpcap-in-path.patch ];
preConfigure = ''
sed -re 's/g_memmove/memmove/' -i $(grep -rl g_memmove .)
'';
configureFlags = "--disable-usr-local --disable-silent-rules --with-gtk2 --without-gtk3 --without-qt --with-ssl";
desktopItem = makeDesktopItem {
name = "Wireshark";
exec = "wireshark";
icon = "wireshark";
comment = "Powerful network protocol analysis suite";
desktopName = "Wireshark";
genericName = "Network packet analyzer";
categories = "Network;System";
};
postInstall = ''
mkdir -p "$out"/share/applications/
mkdir -p "$out"/share/icons/
cp "$desktopItem/share/applications/"* "$out/share/applications/"
cp image/wsicon.svg "$out"/share/icons/wireshark.svg
'';
enableParallelBuilding = true;
meta = {
homepage = http://www.wireshark.org/;
description = "a powerful network protocol analyzer";
license = stdenv.lib.licenses.gpl2;
longDescription = ''
Wireshark (formerly known as "Ethereal") is a powerful network
protocol analyzer developed by an international team of networking
experts. It runs on UNIX, OS X and Windows.
'';
platforms = stdenv.lib.platforms.linux;
maintainers = with stdenv.lib.maintainers; [ simons bjornfor ];
};
}