From 070825d443a384e8cf2928bab0367d430aaeca75 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 17 Feb 2017 15:41:31 +0100 Subject: [PATCH 1/3] setcapWrapper: add support for setting permissions --- nixos/modules/security/wrappers/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 861ce225257..52f25187660 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -28,6 +28,7 @@ let , source , owner ? "nobody" , group ? "nogroup" + , permissions ? "u+rx,g+x,o+x" , ... }: assert (lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3"); @@ -45,7 +46,7 @@ let ${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program} # Set the executable bit - chmod u+rx,g+x,o+x $wrapperDir/${program} + chmod ${permissions} $wrapperDir/${program} ''; ###### Activation script for the setuid wrappers From 8f3e6fdd8cb68af56d40e646be3077e319769a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Thu, 16 Feb 2017 21:53:09 +0100 Subject: [PATCH 2/3] nixos: add programs.wireshark option To be able to use Wireshark as an ordinary user, the 'dumpcap' program must be installed setuid root. This module module simplifies such a configuration to simply: programs.wireshark.enable = true; The setuid wrapper is available for users in the 'wireshark' group. Changes v1 -> v2: - add "defaultText" to the programs.wireshark.package option (AFAIK, that prevents the manual from being needlessly rebuilt when the package changes) --- nixos/modules/misc/ids.nix | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/programs/wireshark.nix | 57 ++++++++++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 nixos/modules/programs/wireshark.nix diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index d51b29b99da..a3845737410 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,6 +288,7 @@ kresd = 270; rpc = 271; geoip = 272; + #wireshark = 273; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -545,6 +546,7 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused + wireshark = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 81597d91d89..e60f93d52d9 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -91,6 +91,7 @@ ./programs/tmux.nix ./programs/venus.nix ./programs/vim.nix + ./programs/wireshark.nix ./programs/wvdial.nix ./programs/xfs_quota.nix ./programs/xonsh.nix diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix new file mode 100644 index 00000000000..aaaf678d362 --- /dev/null +++ b/nixos/modules/programs/wireshark.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.programs.wireshark; + wireshark = cfg.package; + +in + +{ + + options = { + + programs.wireshark = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to add Wireshark to the global environment and configure a + setuid wrapper for 'dumpcap' for users in the 'wireshark' group. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.wireshark-cli; + defaultText = "pkgs.wireshark-cli"; + description = '' + Which Wireshark package to install in the global environment. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ wireshark ]; + + security.wrappers.dumpcap = { + source = "${wireshark}/bin/dumpcap"; + owner = "root"; + group = "wireshark"; + setuid = true; + setgid = false; + permissions = "u+rx,g+x"; + }; + + users.extraGroups.wireshark.gid = config.ids.gids.wireshark; + + }; + +} From 7ec5faa8a4c26beb189c01e27a02d4e2606a4df3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 17 Feb 2017 13:15:59 +0100 Subject: [PATCH 3/3] programs.wireshark: use setcap wrapper --- nixos/modules/misc/ids.nix | 2 -- nixos/modules/programs/wireshark.nix | 25 +++++-------------------- 2 files changed, 5 insertions(+), 22 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index a3845737410..d51b29b99da 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,7 +288,6 @@ kresd = 270; rpc = 271; geoip = 272; - #wireshark = 273; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -546,7 +545,6 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused - wireshark = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix index aaaf678d362..710d223b6f5 100644 --- a/nixos/modules/programs/wireshark.nix +++ b/nixos/modules/programs/wireshark.nix @@ -3,27 +3,19 @@ with lib; let - cfg = config.programs.wireshark; wireshark = cfg.package; - -in - -{ - +in { options = { - programs.wireshark = { - enable = mkOption { type = types.bool; default = false; description = '' Whether to add Wireshark to the global environment and configure a - setuid wrapper for 'dumpcap' for users in the 'wireshark' group. + setcap wrapper for 'dumpcap' for users in the 'wireshark' group. ''; }; - package = mkOption { type = types.package; default = pkgs.wireshark-cli; @@ -32,26 +24,19 @@ in Which Wireshark package to install in the global environment. ''; }; - }; - }; config = mkIf cfg.enable { - environment.systemPackages = [ wireshark ]; - + users.extraGroups.wireshark = {}; + security.wrappers.dumpcap = { source = "${wireshark}/bin/dumpcap"; + capabilities = "cap_net_raw+p"; owner = "root"; group = "wireshark"; - setuid = true; - setgid = false; permissions = "u+rx,g+x"; }; - - users.extraGroups.wireshark.gid = config.ids.gids.wireshark; - }; - }