(address . guix-patches@gnu.org)
20200615161841.24337-1-brice@waegenei.re
* gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch: New file
…
* gnu/local.mk: … add it …
* gnu/packages/networking.scm (wireshark)[origin]: … use it.
---
Together with https://issues.guix.info/41763this patch allow to use wireshark
as a non-root user be adding the following to your “oeprating-system-services“
field:
Toggle snippet (7 lines)
(simple-service 'wireshark-group account-service-type
(list (user-group (name "wireshark") (system? #t))))
(simple-service 'wireshark-dumpcap setuid-program-service-type
(list (list (file-append wireshark "/bin/dumpcap")
"root" "wireshark")))
Such feature was asked on the mailing list years ago[0].
gnu/local.mk | 1 +
gnu/packages/networking.scm | 1 +
.../wireshark-lookup-dumpcap-in-path.patch | 66 +++++++++++++++++++
3 files changed, 68 insertions(+)
create mode 100644 gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
Toggle diff (98 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 79bdfe9be8..3b07aa248c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1595,6 +1595,7 @@ dist_patch_DATA = \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
%D%/packages/patches/wicd-urwid-1.3.patch \
%D%/packages/patches/wicd-wpa2-ttls.patch \
+ %D%/packages/patches/wireshark-lookup-dumpcap-in-path.patch \
%D%/packages/patches/wmctrl-64-fix.patch \
%D%/packages/patches/wmfire-update-for-new-gdk-versions.patch \
%D%/packages/patches/wordnet-CVE-2008-2149.patch \
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index e8f398e521..216e5072a4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -873,6 +873,7 @@ of the same name.")
(method url-fetch)
(uri (string-append "https://www.wireshark.org/download/src/wireshark-"
version ".tar.xz"))
+ (patches (search-patches "wireshark-lookup-dumpcap-in-path.patch"))
(sha256
(base32 "1amqgn94g6h6cfnsccm2zb4c73pfv1qmzi1i6h1hnbcyhhg4czfi"))))
(build-system cmake-build-system)
diff --git a/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
new file mode 100644
index 0000000000..4c000c23a1
--- /dev/null
+++ b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
@@ -0,0 +1,66 @@
+Taken from Nixpkgs:
+<https://github.com/NixOS/nixpkgs/blob/aa060ababf1490e8b39a6122d42112ea958f39cf/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch>
+
+From 5bef9deeff8a2e4401de0f45c9701cd6f98f29d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
+Date: Thu, 26 Nov 2015 21:03:35 +0100
+Subject: [PATCH] Lookup dumpcap in PATH
+
+NixOS patch: Look for dumpcap in PATH first, because there may be a
+dumpcap wrapper that we want to use instead of the default
+non-setuid dumpcap binary.
+
+Also change execv() to execvp() because we've set argv[0] to "dumpcap"
+and have to enable PATH lookup. Wireshark is not a setuid program, so
+looking in PATH is not a security issue.
+
+Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>
+---
+ capchild/capture_sync.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/capchild/capture_sync.c b/capchild/capture_sync.c
+index 970688e..49914d5 100644
+--- a/capchild/capture_sync.c
++++ b/capchild/capture_sync.c
+@@ -332,7 +332,18 @@ init_pipe_args(int *argc) {
+ #ifdef _WIN32
+ exename = g_strdup_printf("%s\\dumpcap.exe", progfile_dir);
+ #else
+- exename = g_strdup_printf("%s/dumpcap", progfile_dir);
++ /*
++ * NixOS patch: Look for dumpcap in PATH first, because there may be a
++ * dumpcap wrapper that we want to use instead of the default
++ * non-setuid dumpcap binary.
++ */
++ if (system("command -v dumpcap >/dev/null") == 0) {
++ /* Found working dumpcap */
++ exename = g_strdup_printf("dumpcap");
++ } else {
++ /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
++ exename = g_strdup_printf("%s/dumpcap", progfile_dir);
++ }
+ #endif
+
+ /* Make that the first argument in the argument list (argv[0]). */
+@@ -729,7 +740,7 @@ sync_pipe_start(capture_options *capture_opts, capture_session *cap_session, voi
+ */
+ dup2(sync_pipe[PIPE_WRITE], 2);
+ ws_close(sync_pipe[PIPE_READ]);
+- execv(argv[0], argv);
++ execvp(argv[0], argv);
+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
+ argv[0], g_strerror(errno));
+ sync_pipe_errmsg_to_parent(2, errmsg, "");
+@@ -997,7 +1008,7 @@ sync_pipe_open_command(char** argv, int *data_read_fd,
+ dup2(sync_pipe[PIPE_WRITE], 2);
+ ws_close(sync_pipe[PIPE_READ]);
+ ws_close(sync_pipe[PIPE_WRITE]);
+- execv(argv[0], argv);
++ execvp(argv[0], argv);
+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
+ argv[0], g_strerror(errno));
+ sync_pipe_errmsg_to_parent(2, errmsg, "");
+--
+2.6.3
+
--
2.26.2