diff options
| author | Robin Gloster <mail@glob.in> | 2017-02-17 13:15:59 +0100 |
|---|---|---|
| committer | Robin Gloster <mail@glob.in> | 2017-02-17 15:42:55 +0100 |
| commit | 7ec5faa8a4c26beb189c01e27a02d4e2606a4df3 (patch) | |
| tree | 742509beda6aecc8b16698c9b7e580156c4941b1 | |
| parent | 8f3e6fdd8cb68af56d40e646be3077e319769a4e (diff) | |
| download | nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar.gz nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar.bz2 nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar.lz nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar.xz nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.tar.zst nixlib-7ec5faa8a4c26beb189c01e27a02d4e2606a4df3.zip | |
programs.wireshark: use setcap wrapper
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/programs/wireshark.nix | 25 |
2 files changed, 5 insertions, 22 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index a3845737410d..d51b29b99dae 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -288,7 +288,6 @@ kresd = 270; rpc = 271; geoip = 272; - #wireshark = 273; # unused # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -546,7 +545,6 @@ kresd = 270; #rpc = 271; # unused #geoip = 272; # unused - wireshark = 273; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/programs/wireshark.nix b/nixos/modules/programs/wireshark.nix index aaaf678d362c..710d223b6f59 100644 --- a/nixos/modules/programs/wireshark.nix +++ b/nixos/modules/programs/wireshark.nix @@ -3,27 +3,19 @@ with lib; let - cfg = config.programs.wireshark; wireshark = cfg.package; - -in - -{ - +in { options = { - programs.wireshark = { - enable = mkOption { type = types.bool; default = false; description = '' Whether to add Wireshark to the global environment and configure a - setuid wrapper for 'dumpcap' for users in the 'wireshark' group. + setcap wrapper for 'dumpcap' for users in the 'wireshark' group. ''; }; - package = mkOption { type = types.package; default = pkgs.wireshark-cli; @@ -32,26 +24,19 @@ in Which Wireshark package to install in the global environment. ''; }; - }; - }; config = mkIf cfg.enable { - environment.systemPackages = [ wireshark ]; - + users.extraGroups.wireshark = {}; + security.wrappers.dumpcap = { source = "${wireshark}/bin/dumpcap"; + capabilities = "cap_net_raw+p"; owner = "root"; group = "wireshark"; - setuid = true; - setgid = false; permissions = "u+rx,g+x"; }; - - users.extraGroups.wireshark.gid = config.ids.gids.wireshark; - }; - } |