diff options
| author |   Peter Volkov <pva@gentoo.org> | 2008-03-23 14:06:28 +0000 |
|---|---|---|
| committer | Peter Volkov <pva@gentoo.org> | 2008-03-23 14:06:28 +0000 |
| commit | 177a5aa10a7aef2603a8bf6787ecbc784ed3c98e (patch) | |
| tree | 06121bc6130cc0a3019f835bd33ab9b10e2a6ed4 /net-analyzer | |
| parent | Marking gentoo-syntax-1.8 ~ppc64 for bug 214283 (diff) | |
| download | gentoo-2-177a5aa10a7aef2603a8bf6787ecbc784ed3c98e.tar.gz gentoo-2-177a5aa10a7aef2603a8bf6787ecbc784ed3c98e.tar.bz2 gentoo-2-177a5aa10a7aef2603a8bf6787ecbc784ed3c98e.zip | |
Fix wireshark stop when built with caps.
(Portage version: 2.1.4.4)
Diffstat (limited to 'net-analyzer')
4 files changed, 553 insertions, 1 deletions
diff --git a/net-analyzer/wireshark/ChangeLog b/net-analyzer/wireshark/ChangeLog index dc982b60dca9..801804f6edf0 100644 --- a/net-analyzer/wireshark/ChangeLog +++ b/net-analyzer/wireshark/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-analyzer/wireshark # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/wireshark/ChangeLog,v 1.90 2008/03/19 20:28:44 pva Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/wireshark/ChangeLog,v 1.91 2008/03/23 14:06:28 pva Exp $ + +*wireshark-1.0.0_rc1-r1 (23 Mar 2008) + + 23 Mar 2008; Peter Volkov <pva@gentoo.org> + +files/wireshark-1.0.0_rc1-fix-setcap-EPERM.patch, + +files/wireshark-1.0.0_rc1-fix-stop-capture.patch, + +wireshark-1.0.0_rc1-r1.ebuild: + Fix wireshark stop when built with caps. *wireshark-1.0.0_rc1 (19 Mar 2008) diff --git a/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-setcap-EPERM.patch b/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-setcap-EPERM.patch new file mode 100644 index 000000000000..0dcfda6f178a --- /dev/null +++ b/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-setcap-EPERM.patch @@ -0,0 +1,31 @@ +Author: gerald +Date: Thu Mar 20 19:18:33 2008 UTC (2 days, 16 hours ago) +Log Message: + +Don't call cap_set_proc() unless we were started with elevated privileges. +Otherwise, we might print dumpcap: cap_set_proc() fail return: Operation not +permitted to stderr. + +--- trunk/dumpcap.c 2008/03/20 00:30:47 24703 ++++ trunk/dumpcap.c 2008/03/20 19:18:33 24704 +@@ -508,12 +508,15 @@ + + relinquish_special_privs_perm(); + +- print_caps("Post drop, pre set"); +- cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET); +- if (cap_set_proc(caps)) { +- cmdarg_err("cap_set_proc() fail return: %s", strerror(errno)); ++ if (started_with_special_privs()) { ++ print_caps("Post drop, pre set"); ++ cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET); ++ if (cap_set_proc(caps)) { ++ cmdarg_err("cap_set_proc() fail return: %s", strerror(errno)); ++ } ++ print_caps("Post drop, post set"); + } +- print_caps("Post drop, post set"); ++ + cap_free(caps); + } + #endif /* HAVE_LIBCAP */ diff --git a/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-stop-capture.patch b/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-stop-capture.patch new file mode 100644 index 000000000000..905e29512d14 --- /dev/null +++ b/net-analyzer/wireshark/files/wireshark-1.0.0_rc1-fix-stop-capture.patch @@ -0,0 +1,344 @@ +Author: wmeier +Date: Sat Mar 22 19:04:26 2008 UTC (16 hours, 26 minutes ago) +Log Message: + +Fix (aka workaround) for bug #2228. Essentially: if using libcap, drop +capabilities after doing pcap_open_live. See comment in main() for details. + +--- trunk/dumpcap.c 2008/03/22 05:50:19 24715 ++++ trunk/dumpcap.c 2008/03/22 19:04:26 24716 +@@ -102,8 +102,8 @@ + */ + #include "wiretap/libpcap.h" + +-/*#define DEBUG_DUMPCAP*/ +-/*#define DEBUG_CHILD_DUMPCAP*/ ++/**#define DEBUG_DUMPCAP**/ ++/**#define DEBUG_CHILD_DUMPCAP**/ + + #ifdef DEBUG_CHILD_DUMPCAP + FILE *debug_log; /* for logging debug messages to */ +@@ -466,14 +466,20 @@ + /* + * If we were linked with libcap (not libpcap), make sure we have + * CAP_NET_ADMIN and CAP_NET_RAW, then relinquish our permissions. ++ * (See comment in main() for details) + */ + + static void + #if 0 /* Set to enable capability debugging */ ++/* see 'man cap_to_text()' for explanation of output */ ++/* '=' means 'all= ' ie: no capabilities */ ++/* '=ip' means 'all=ip' ie: all capabilities are permissible and inheritable */ ++/* .... */ + print_caps(char *pfx) { + cap_t caps = cap_get_proc(); +- fprintf(stderr, "%s: EUID: %d Capabilities: %s\n", pfx, +- geteuid(), cap_to_text(caps, NULL)); ++ g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_DEBUG, ++ "%s: EUID: %d Capabilities: %s", pfx, ++ geteuid(), cap_to_text(caps, NULL)); + cap_free(caps); + #else + print_caps(char *pfx _U_) { +@@ -483,16 +489,23 @@ + static void + relinquish_privs_except_capture(void) + { +- /* CAP_NET_ADMIN: Promiscuous mode and a truckload of other ++ /* If 'started_with_special_privs' (ie: suid) then enable for ++ * ourself the NET_ADMIN and NET_RAW capabilities and then ++ * drop our suid privileges. ++ * ++ * CAP_NET_ADMIN: Promiscuous mode and a truckload of other + * stuff we don't need (and shouldn't have). + * CAP_NET_RAW: Packet capture (raw sockets). + */ +- cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW }; +- cap_t caps = cap_init(); +- int cl_len = sizeof(cap_list) / sizeof(cap_value_t); + + if (started_with_special_privs()) { ++ cap_value_t cap_list[2] = { CAP_NET_ADMIN, CAP_NET_RAW }; ++ int cl_len = sizeof(cap_list) / sizeof(cap_value_t); ++ ++ cap_t caps = cap_init(); /* all capabilities initialized to off */ ++ + print_caps("Pre drop, pre set"); ++ + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) == -1) { + cmdarg_err("prctl() fail return: %s", strerror(errno)); + } +@@ -504,21 +517,35 @@ + cmdarg_err("cap_set_proc() fail return: %s", strerror(errno)); + } + print_caps("Pre drop, post set"); +- } + +- relinquish_special_privs_perm(); ++ relinquish_special_privs_perm(); + +- if (started_with_special_privs()) { + print_caps("Post drop, pre set"); + cap_set_flag(caps, CAP_EFFECTIVE, cl_len, cap_list, CAP_SET); + if (cap_set_proc(caps)) { + cmdarg_err("cap_set_proc() fail return: %s", strerror(errno)); + } + print_caps("Post drop, post set"); ++ ++ cap_free(caps); + } ++} ++ + ++static void ++relinquish_all_capabilities() ++{ ++ /* Drop any and all capabilities this process may have. */ ++ /* Allowed whether or not process has any privileges. */ ++ cap_t caps = cap_init(); /* all capabilities initialized to off */ ++ print_caps("Pre-clear"); ++ if (cap_set_proc(caps)) { ++ cmdarg_err("cap_set_proc() fail return: %s", strerror(errno)); ++ } ++ print_caps("Post-clear"); + cap_free(caps); + } ++ + #endif /* HAVE_LIBCAP */ + + /* Take care of byte order in the libpcap headers read from pipes. +@@ -1083,8 +1110,15 @@ + open_err_str); + #endif + ++/* If not using libcap: we now can now set euid/egid to ruid/rgid */ ++/* to remove any suid privileges. */ ++/* If using libcap: we can now remove NET_RAW and NET_ADMIN capabilities */ ++/* (euid/egid have already previously been set to ruid/rgid. */ ++/* (See comment in main() for details) */ + #ifndef HAVE_LIBCAP + relinquish_special_privs_perm(); ++#else ++ relinquish_all_capabilities(); + #endif + + if (ld->pcap_h != NULL) { +@@ -2252,13 +2286,13 @@ + /* (eg: during initialization) will be formatted properly. */ + + for (i=1; i<argc; i++) { +- if (strcmp("-Z", argv[i]) == 0) { +- capture_child = TRUE; ++ if (strcmp("-Z", argv[i]) == 0) { ++ capture_child = TRUE; + #ifdef _WIN32 +- /* set output pipe to binary mode, to avoid ugly text conversions */ +- _setmode(2, O_BINARY); ++ /* set output pipe to binary mode, to avoid ugly text conversions */ ++ _setmode(2, O_BINARY); + #endif +- } ++ } + } + + /* The default_log_handler will use stdout, which makes trouble in */ +@@ -2316,8 +2350,85 @@ + sigaction(SIGHUP, &action, NULL); + #endif /* _WIN32 */ + ++ /* ----------------------------------------------------------------- */ ++ /* Privilege and capability handling */ ++ /* Cases: */ ++ /* 1. Running not as root or suid root; no special capabilities. */ ++ /* Action: none */ ++ /* */ ++ /* 2. Running logged in as root (euid=0; ruid=0); Not using libcap. */ ++ /* Action: none */ ++ /* */ ++ /* 3. Running logged in as root (euid=0; ruid=0). Using libcap. */ ++ /* Action: */ ++ /* - Near start of program: Enable NET_RAW and NET_ADMIN */ ++ /* capabilities; Drop all other capabilities; */ ++ /* - If not -w (ie: doing -S or -D, etc) run to completion; */ ++ /* else: after pcap_open_live() in capture_loop_open_input() */ ++ /* drop all capabilities (NET_RAW and NET_ADMIN) */ ++ /* (Note: this means that the process, although logged in */ ++ /* as root, does not have various permissions such as the */ ++ /* ability to bypass file access permissions. */ ++ /* XXX: Should we just leave capabilities alone in this case */ ++ /* so that user gets expected effect that root can do */ ++ /* anything ?? */ ++ /* */ ++ /* 4. Running as suid root (euid=0, ruid=n); Not using libcap. */ ++ /* Action: */ ++ /* - If not -w (ie: doing -S or -D, etc) run to completion; */ ++ /* else: after pcap_open_live() in capture_loop_open_input() */ ++ /* drop same (euid=ruid). (ie: keep suid until after */ ++ /* pcap_open_live */ ++ /* */ ++ /* 5. Running as suid root (euid=0, ruid=n); Using libcap. */ ++ /* Action: */ ++ /* - Near start of program: Enable NET_RAW and NET_ADMIN */ ++ /* capabilities; Drop all other capabilities; */ ++ /* Drop suid privileges (euid=ruid). */ ++ /* - If not -w (ie: doing -S or -D, etc) run to completion; */ ++ /* else: after pcap_open_live() in capture_loop_open_input() */ ++ /* drop all capabilities (NET_RAW and NET_ADMIN) */ ++ /* */ ++ /* XXX: For some Linux versions/distros with capabilities */ ++ /* a 'normal' process with any capabilities cannot be */ ++ /* 'killed' (signaled) from another (same uid) non-privileged */ ++ /* process. */ ++ /* For example: If (non-suid) Wireshark forks a */ ++ /* child suid dumpcap which acts as described here (case 5), */ ++ /* Wireshark will be unable to kill (signal) the child */ ++ /* dumpcap process until the capabilities have been dropped */ ++ /* (after pcap_open_live()). */ ++ /* This behaviour will apparently be changed in the kernel */ ++ /* to allow the kill (signal) in this case. */ ++ /* See the following for details: */ ++ /* http://www.mail-archive.com/ [wrapped] */ ++ /* linux-security-module@vger.kernel.org/msg02913.html */ ++ /* */ ++ /* It is therefore conceivable that if dumpcap somehow hangs */ ++ /* in pcap_open_live or before that wireshark will not */ ++ /* be able to stop dumpcap using a signal (USR1, TERM, etc). */ ++ /* In this case, exiting wireshark will kill the child */ ++ /* dumpcap process. */ ++ /* */ ++ /* 6. Not root or suid root; Running with NET_RAW & NET_ADMIN */ ++ /* capabilities; Using libcap. Note: capset cmd (which see) */ ++ /* used to assign capabilities to file. */ ++ /* Action: */ ++ /* - If not -w (ie: doing -S or -D, etc) run to completion; */ ++ /* else: after pcap_open_live() in capture_loop_open_input() */ ++ /* drop all capabilities (NET_RAW and NET_ADMIN) */ ++ /* */ ++ /* ToDo: -S (stats) should drop privileges/capabilities when no */ ++ /* onger required (similar to capture). */ ++ /* */ ++ /* ----------------------------------------------------------------- */ ++ + get_credential_info(); ++ + #ifdef HAVE_LIBCAP ++ /* If 'started with special privileges' (and using libcap) */ ++ /* Set to keep only NET_RAW and NET_ADMIN capabilities; */ ++ /* Set euid/egid = ruid/rgid to remove suid privileges */ + relinquish_privs_except_capture(); + #endif + +@@ -2380,34 +2491,33 @@ + #endif /* _WIN32 */ + status = capture_opts_add_opt(capture_opts, opt, optarg, &start_capture); + if(status != 0) { +- exit_main(status); ++ exit_main(status); + } + break; + /*** hidden option: Wireshark child mode (using binary output messages) ***/ + case 'Z': +- capture_child = TRUE; ++ capture_child = TRUE; + #ifdef _WIN32 +- /* set output pipe to binary mode, to avoid ugly text conversions */ +- _setmode(2, O_BINARY); +- /* +- * optarg = the control ID, aka the PPID, currently used for the +- * signal pipe name. +- */ +- if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) { +- sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, +- optarg); +- sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name), +- GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL); +- +- if (sig_pipe_handle == INVALID_HANDLE_VALUE) { +- g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, +- "Signal pipe: Unable to open %s. Dead parent?", +- sig_pipe_name); +- exit_main(1); +- } ++ /* set output pipe to binary mode, to avoid ugly text conversions */ ++ _setmode(2, O_BINARY); ++ /* ++ * optarg = the control ID, aka the PPID, currently used for the ++ * signal pipe name. ++ */ ++ if (strcmp(optarg, SIGNAL_PIPE_CTRL_ID_NONE) != 0) { ++ sig_pipe_name = g_strdup_printf(SIGNAL_PIPE_FORMAT, optarg); ++ sig_pipe_handle = CreateFile(utf_8to16(sig_pipe_name), ++ GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL); ++ ++ if (sig_pipe_handle == INVALID_HANDLE_VALUE) { ++ g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_INFO, ++ "Signal pipe: Unable to open %s. Dead parent?", ++ sig_pipe_name); ++ exit_main(1); + } ++ } + #endif +- break; ++ break; + + /*** all non capture option specific ***/ + case 'D': /* Print a list of capture devices and exit */ +@@ -2435,8 +2545,8 @@ + argc -= optind; + argv += optind; + if (argc >= 1) { +- /* user specified file name as regular command-line argument */ +- /* XXX - use it as the capture file name (or something else)? */ ++ /* user specified file name as regular command-line argument */ ++ /* XXX - use it as the capture file name (or something else)? */ + argc--; + argv++; + } +@@ -2487,7 +2597,7 @@ + } + + if (capture_opts_trim_iface(capture_opts, NULL) == FALSE) { +- cmdarg_err("No capture interfaces available (maybe lack of privileges?)."); ++ /* cmdarg_err() already called .... */ + exit_main(1); + } + +@@ -2512,11 +2622,11 @@ + /* Now start the capture. */ + + if(capture_loop_start(capture_opts, &stats_known, &stats) == TRUE) { +- /* capture ok */ +- exit_main(0); ++ /* capture ok */ ++ exit_main(0); + } else { +- /* capture failed */ +- exit_main(1); ++ /* capture failed */ ++ exit_main(1); + } + } + +@@ -2582,15 +2692,15 @@ + #if defined(DEBUG_DUMPCAP) || defined(DEBUG_CHILD_DUMPCAP) + if( !(log_level & G_LOG_LEVEL_MASK & ~(G_LOG_LEVEL_DEBUG|G_LOG_LEVEL_INFO))) { + #ifdef DEBUG_DUMPCAP +- fprintf(stderr, "%s", msg); +- fflush(stderr); ++ fprintf(stderr, "%s", msg); ++ fflush(stderr); + #endif + #ifdef DEBUG_CHILD_DUMPCAP +- fprintf(debug_log, "%s", msg); +- fflush(debug_log); ++ fprintf(debug_log, "%s", msg); ++ fflush(debug_log); + #endif +- g_free(msg); +- return; ++ g_free(msg); ++ return; + } + #endif + diff --git a/net-analyzer/wireshark/wireshark-1.0.0_rc1-r1.ebuild b/net-analyzer/wireshark/wireshark-1.0.0_rc1-r1.ebuild new file mode 100644 index 000000000000..bc29c9a864e8 --- /dev/null +++ b/net-analyzer/wireshark/wireshark-1.0.0_rc1-r1.ebuild @@ -0,0 +1,169 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/wireshark/wireshark-1.0.0_rc1-r1.ebuild,v 1.1 2008/03/23 14:06:28 pva Exp $ + +EAPI=1 +WANT_AUTOMAKE="1.9" +inherit autotools libtool flag-o-matic eutils toolchain-funcs + +DESCRIPTION="A network protocol analyzer formerly known as ethereal" +HOMEPAGE="http://www.wireshark.org/" + +# _rc versions has different download location. +[[ -n ${PV#*_rc} && ${PV#*_rc} != ${PV} ]] && { +SRC_URI="http://www.wireshark.org/download/prerelease/${PN}-${PV/_rc/pre}.tar.gz"; +S=${WORKDIR}/${PN}-${PV/_rc/pre} ; } || \ +SRC_URI="http://www.wireshark.org/download/src/all-versions/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd" +IUSE="adns gtk ipv6 lua portaudio gnutls gcrypt zlib kerberos threads profile smi +pcap pcre +caps selinux" + +RDEPEND="zlib? ( sys-libs/zlib ) + smi? ( net-libs/libsmi ) + gtk? ( >=dev-libs/glib-2.0.4 + =x11-libs/gtk+-2* + x11-libs/pango + dev-libs/atk ) + !gtk? ( =dev-libs/glib-1.2* ) + gnutls? ( net-libs/gnutls ) + gcrypt? ( dev-libs/libgcrypt ) + pcap? ( net-libs/libpcap ) + pcre? ( dev-libs/libpcre ) + caps? ( sys-libs/libcap ) + adns? ( net-libs/adns ) + kerberos? ( virtual/krb5 ) + portaudio? ( media-libs/portaudio ) + lua? ( >=dev-lang/lua-5.1 ) + selinux? ( sec-policy/selinux-wireshark )" + +DEPEND="${RDEPEND} + >=dev-util/pkgconfig-0.15.0 + dev-lang/perl + sys-devel/bison + sys-devel/flex + sys-apps/sed" + +pkg_setup() { + if ! use gtk; then + ewarn "USE=-gtk will mean no gui called wireshark will be created and" + ewarn "only command line utils are available" + fi + + # Add group for users allowed to sniff. + enewgroup wireshark || die "Failed to create wireshark group" +} + +src_unpack() { + unpack ${A} + + cd "${S}" + epatch "${FILESDIR}"/${PN}-0.99.7-asneeded.patch + epatch "${FILESDIR}"/${PN}-0.99.8-as-needed.patch + epatch "${FILESDIR}"/${PN}-1.0.0_rc1-fix-setcap-EPERM.patch + epatch "${FILESDIR}"/${PN}-1.0.0_rc1-fix-stop-capture.patch + + cd "${S}"/epan + epatch "${FILESDIR}"/wireshark-except-double-free.diff + + cd "${S}" + AT_M4DIR="${S}/aclocal-fallback" + eautoreconf +} + +src_compile() { + # optimization bug, see bug #165340, bug #40660 + if [[ $(gcc-version) == 3.4 ]] ; then + elog "Found gcc 3.4, forcing -O3 into CFLAGS" + replace-flags -O? -O3 + elif [[ $(gcc-version) == 3.3 || $(gcc-version) == 3.2 ]] ; then + elog "Found <=gcc-3.3, forcing -O into CFLAGS" + replace-flags -O? -O + fi + + # see bug #133092; bugs.wireshark.org/bugzilla/show_bug.cgi?id=1001 + # our hardened toolchain bug + filter-flags -fstack-protector + + local myconf + if use gtk; then + einfo "Building with gtk support" + else + einfo "Building without gtk support" + myconf="${myconf} --disable-wireshark" + fi + + # Workaround bug #213705. If krb5-config --libs has -lcrypto then pass + # --with-ssl to ./configure. (Mimics code from acinclude.m4). + if use kerberos; then + case `krb5-config --libs` in + *-lcrypto*) myconf="${myconf} --with-ssl" ;; + esac + fi + + # dumpcap requires libcap, setuid-install requires dumpcap + econf $(use_enable gtk gtk2) \ + $(use_enable profile profile-build) \ + $(use_with gnutls) \ + $(use_with gcrypt) \ + $(use_enable gtk wireshark) \ + $(use_enable ipv6) \ + $(use_enable threads) \ + $(use_with lua) \ + $(use_with adns) \ + $(use_with kerberos krb5) \ + $(use_with smi libsmi) \ + $(use_with pcap) \ + $(use_with zlib) \ + $(use_with pcre) \ + $(use_with portaudio) \ + $(use_with caps libcap) \ + $(use_enable pcap setuid-install) \ + --sysconfdir=/etc/wireshark \ + ${myconf} || die "econf failed" + + emake || die "emake failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "emake install failed" + + fowners 0:wireshark /usr/bin/tshark + fperms 6550 /usr/bin/tshark + use pcap && fowners 0:wireshark /usr/bin/dumpcap + use pcap && fperms 6550 /usr/bin/dumpcap + + insinto /usr/include/wiretap + doins wiretap/wtap.h + + dodoc AUTHORS ChangeLog NEWS README* + + if use gtk ; then + insinto /usr/share/icons/hicolor/16x16/apps + newins image/hi16-app-wireshark.png wireshark.png + insinto /usr/share/icons/hicolor/32x32/apps + newins image/hi32-app-wireshark.png wireshark.png + insinto /usr/share/icons/hicolor/48x48/apps + newins image/hi48-app-wireshark.png wireshark.png + insinto /usr/share/applications + doins wireshark.desktop + fi +} + +pkg_postinst() { + echo + ewarn "With version 0.99.7, all function calls that require elevated privileges" + ewarn "have been moved out of the GUI to dumpcap. WIRESHARK CONTAINS OVER ONE" + ewarn "POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT." + ewarn + ewarn "NOTE: To run wireshark as normal user you have to add yourself into" + ewarn "wireshark group. This security measure ensures that only trusted" + ewarn "users allowed to sniff your traffic." + echo + if use caps && use gtk; then + # http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2228 + elog "Setting cap_kill on /usr/bin/wireshark" + setcap cap_kill=ep /usr/bin/wireshark + fi +} |