0

Linux naturally restricts all but superuser from pulling traffic directly from network adapters. In the case of Wireshark/dumpcap, setuid root is used ONLY for dumpcap, restricting the privileges needed for Wireshark run by the user:

Wireshark has implemented Privilege Separation which means that the Wireshark GUI (or the tshark CLI) can run as a normal user while the dumpcap capture utility runs as root. This can be achieved by installing dumpcap setuid root. The advantage of this solution is that while dumpcap is run as root the vast majority of Wireshark's code is run as a normal user (where it can do much less damage).

In the case of node_pcap, a similar issue occurs: the node.js process needs superuser to listen to the adapter, but that's a poor choice.

What's a sensible way to give a node process just enough privilege to capture packets and nothing else outside of the account running it?

bright-star
  • 147
  • 5

1 Answers1

0

Based on a recipe by Jeremy Stretch from Packetlife:

Ingredients

  1. setcap (usually comes with the libpcap2-bin package) - it will allow you to set the special kernel permission/capabilities that node needs when running as a regular user account.

Cooking

A. Give node capture capabilities:

setcap 'cap_net_raw,cap_net_admin=eip' /usr/loca/bin/node

B. Report on success.

C. ???

D. Profit.

Hope this helps!

Milen
  • 1,148
  • 6
  • 12
  • No chance I could do `setcap '...' dir/dir2/myscript.js` and then call it later with `nodemon` or `node`? Gave it a try with poor results, but I'm new to node.js. – bright-star Nov 30 '14 at 23:23
  • 1
    Unfortunately, not :-( You need the process to have the privileges - it's not the JS that is the process. Typically you only give those privileges to dumpcap, which is the utility used by the likes of Wireshark to capture the traffic. But definitely won't work with doing that with the script :-( – Milen Dec 01 '14 at 10:41
  • Following Stretch's guide, would setting group permissions on the file but capabilities on `node` be a good compromise? – bright-star Dec 02 '14 at 01:11
  • This seems dangerous. Anyone who can run node could then use cap_net_raw and cap_net_admin to do whatever they want, with any script they want. – Joseph Sible-Reinstate Monica Nov 12 '19 at 04:40