:: Re: [DNG] Etherape's permissions an…
Página Principal
Delete this message
Reply to this message
Autor: Alessandro Selli
Data:  
Para: dng
Assunto: Re: [DNG] Etherape's permissions and Linux Capabilities
On 03/10/18 at 01:34, Alessandro Selli wrote:
> On 19/09/18 at 18:47, Alessandro Selli wrote:
>> On 19/09/18 at 14:07, m712 wrote:
>>> On September 18, 2018 1:31:56 PM GMT+03:00, Alessandro Selli <alessandroselli@???> wrote:
>>>>   Hello,
>>>>
>>>>     I recently installed etherape 0.9.13-1+b1 and found out it could
>>>> not
>>>> do anything when run as an unprivileged user:
>>>>
>>>>
>>>> Error opening eth0 : eth0: You don't have permission to capture on that
>>>> device (socket: Operation not permitted) - perhaps you need to be root?
>>>>
>>>>
>>>>   I could find an "EtherApe (as root)" menu item in my desktop's menu
>>>> under System, but it asks for the superuser's password and I don't like
>>>> that.
>>>>
>>>>   I then run the following command as root:
>>>>
>>>>
>>>> setcap CAP_NET_RAW=pe /usr/bin/etherape
>>>>
>>>>
>>>>   And i can now run etherape as a regular user without entering the
>>>> superuser's password or setting the binary SUID root.
>>>>
>>>>   Could this be make a default setting at package installation, or at
>>>> least could there be some reference to this setting in the package info
>>>> and/or in the command man page?
>>> I agree that this should be a package default, not just here but on Debian's side too. Would you like to contact the maintainer or should I?
>>>
>>>            m712
>>   For once I'll put aside my laziness and do it myself.  ☺

>>
>>  Thank you anyway.
>>
>>
>> Alessandro
>   OK, Debian package maintainer Frederic Peters asked me to open a new
> bug.  It is bug #910117:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910117
>
>
>   Bye



  They threw it out of the window:


tag #910117 + wontfix
thanks



 From: Patrick_Matthäi <pmatthaei@???>


> Am 04.10.2018 um 09:43 schrieb Laurent Bigonville:


>> My 2¢ here, but su-to-root requires the user to enter the root
>> password of the machine.
>>
>> Adding the capability to the file, will allow any user to run etherape
>> and get information about the network traffic.
>>
>> Isn't that a bigger security issue to allow this by default?
> Hi,
> yes it is and that would be a blocking bug.
> Users should do it on their own, if they think this is correct in their
> scenario. Else etherape  would be a trojan sniffer



  To me a sniffer is a program that can capture and analyze packets'
contents, which in my understanding etherape does not do, as it just
represents graphically TCP/IP connections, data that could be displayed
with ss or netstat, plus traffic volume information.

  But maybe it could, and that's the point about not installing it with
capabilities set.

  Oh well, whatever.



--
Alessandro Selli <alessandroselli@???>
Tel. 3701355486
VOIP SIP: dhatarattha@???
Chiave firma e cifratura PGP/GPG signing and encoding key:
BA651E4050DDFC31E17384BABCE7BD1A1B0DF2AE