Hello all,
recently I wanted to run Wireshark without using sudo (given that I am
on wayland it's a bit more involved to get apps run as other user,
though it is possible with root). Dumpcap is needed to have cap_net_raw
and cap_net_admin=eip so that it can work properly.
I faced two issues regarding this:
1. Wireshark references dumpcap directly from its output
2. dumpcap is wrapped with some qt wrapper stuff that's not
important for it as it is not a gui program like wireshark itself is.
I solved both issues, but not really ideally, I patched wireshark so
that it refers to /run/privileged/bin/dumpcap directly and unhwrapped
dumpcap by copying the .dumpcap-real to dumpcap.
I am now wondering what would be more idiomatic way to solve this.
Should we patch wireshark to first look into PATH and only then try
dumpcap from the output directory? This still keeps wireshark not
dependent on having its bin folder in PATH, but on the other hand,
it might happen that dumpcap from the system will be preferred, which
might in some cases be undesirable.
And regarding the undesired wrapping, shouldn't the qt build system have
a way to say which binaries should not be wrapped? I see that it is
currently possible to tell to not wrap specific outputs, but no way to
not wrap specific binaries. Unwrapping after it's wrapped feels more
like a hack.
I am attaching my current solution:
---
(define wireshark-patched
(package/inherit wireshark
(source (origin
(inherit (package-source wireshark))
(patches (cons*
(local-file "patches/wireshark.patch")
(origin-patches (package-source
wireshark))))))
(arguments
(substitute-keyword-arguments (package-arguments wireshark)
((#:phases original-phases)
#~(modify-phases #$original-phases
(add-after 'qt-wrap 'unwrap-dumpcap
(lambda _
(delete-file (string-append #$output
"/bin/dumpcap"))
(copy-file
(string-append #$output "/bin/.dumpcap-real")
(string-append #$output "/bin/dumpcap"))))))))))
---
Here is the patch:
---
>From cb326bf97c99ff73a0a8689304e3ad47aa59139f Mon Sep 17 00:00:00 2001
From: Rutherther <ruthert...@ditigal.xyz>
Date: Sat, 15 Feb 2025 11:39:38 +0100
Subject: [PATCH] Point dumpcap to privileged bin
---
capture/capture_sync.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/capture/capture_sync.c b/capture/capture_sync.c
index 946dc810db..2cc3d6f705 100644
--- a/capture/capture_sync.c
+++ b/capture/capture_sync.c
@@ -244,7 +244,7 @@ init_pipe_args(int *argc) {
char **argv;
/* Find the absolute path of the dumpcap executable. */
- exename = get_executable_path("dumpcap");
+ exename = "/run/privileged/bin/dumpcap";
if (exename == NULL) {
return NULL;
}
@@ -270,9 +270,6 @@ init_pipe_args(int *argc) {
}
}
- /* sync_pipe_add_arg strdupes exename, so we should free our copy */
- g_free(exename);
-
return argv;
}
--
Privileged programs then looks like this
---
(privileged-programs
(cons*
(privileged-program
(program
(file-append wireshark-patched "/bin/dumpcap"))
(capabilities "cap_net_raw,cap_net_admin=eip"))
%default-privileged-programs))
---
Regards,
Rutherther
