TCPDump as non privilaged user

elevennails · July 12, 2018, 10:28pm

Has anyone been able to successfully configure tcpdump to be run by a non-privilaged account.

I've successfully install tcpdump and can run it as sudo. However i'm not able to run it as a local user "mon".

I've created a local group called pcap and added my "mon" account to it...

sudo groupadd pcap
sudo usermod -a -G pcap mon

I've added the group to pcap and allowed members of the group to run it

sudo chgrp pcap /usr/sbin/tcpdump
sudo chmod 750 /usr/sbin/tcpdump

However when i try and run tcpdump as mon locally on the switch i get the following error.

tcpdump -i pppoe-wan -U -s0
tcpdump: pppoe-wan: You don't have permission to capture on that device
(socket: Operation not permitted)

The above command does work if i sudo it.

How can i give my "mon" user access to capture on the pppoe-wan interface without sudo?

Thanks

Simon

jeff · July 12, 2018, 11:03pm

You need to change the permissions on the BPF devices, not the executable

elevennails · July 12, 2018, 11:39pm

Hey Jeff, thanks for replying.

where do, I do that, I've had a quick Google and people seem to be changing /dev/bpf* but I don't seem to have any?

:/$ ls /dev/bpf*
ls: /dev/bpf*: No such file or directory

Thanks

jeff · July 13, 2018, 12:35am

Hmmm, no getcap or setcap either...

Edit:

Ugh, looks like tcpdump works by opening a low-level, raw socket and binding it to the device

sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))
...
setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, ...)

From http://seclists.org/tcpdump/2011/q1/58

       Under Linux:
              You  must  be  root or the application capturing packets must be
              installed setuid to root (unless your distribution has a  kernel
              that  supports  capability  bits such as CAP_NET_RAW and code to
              allow those capability bits to be given to  particular  accounts
              and  to cause those bits to be set on a user's initial processes
              when they log in, in which case you  must  have  CAP_NET_RAW  in
              order  to capture and CAP_NET_ADMIN to enumerate network devices
              with, for example, the -D flag).

I personally wouldn't make tcpdump setuid root, but start looking for another, better-controlled way to achieve the goal.

elevennails · July 13, 2018, 7:29am

Is setcap available in a package. I've seen an lede post by someone using in on Google it couldn't find it. Thought it might have been I. Libcap but it wasn't?