diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index a3845737410..d51b29b99da 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,7 +288,6 @@ kresd = 270; rpc = 271; geoip = 272; - #wireshark = 273; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -546,7 +545,6 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused - wireshark = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix index aaaf678d362..710d223b6f5 100644 --- a/nixos/modules/programs/wireshark.nix +++ b/nixos/modules/programs/wireshark.nix @@ -3,27 +3,19 @@ with lib; let - cfg = config.programs.wireshark; wireshark = cfg.package; - -in - -{ - +in { options = { - programs.wireshark = { - enable = mkOption { type = types.bool; default = false; description = '' Whether to add Wireshark to the global environment and configure a - setuid wrapper for 'dumpcap' for users in the 'wireshark' group. + setcap wrapper for 'dumpcap' for users in the 'wireshark' group. ''; }; - package = mkOption { type = types.package; default = pkgs.wireshark-cli; @@ -32,26 +24,19 @@ in Which Wireshark package to install in the global environment. ''; }; - }; - }; config = mkIf cfg.enable { - environment.systemPackages = [ wireshark ]; - + users.extraGroups.wireshark = {}; + security.wrappers.dumpcap = { source = "${wireshark}/bin/dumpcap"; + capabilities = "cap_net_raw+p"; owner = "root"; group = "wireshark"; - setuid = true; - setgid = false; permissions = "u+rx,g+x"; }; - - users.extraGroups.wireshark.gid = config.ids.gids.wireshark; - }; - }