[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wireshark deboconf template modification proposal

Bálint Réczey wrote:
> I would like to change the debconf template text for
> wireshark-common/install-setuid.
> 
> The rationale behind this change is that the instaler will use the
> Linux Capabilities Framework on Linux and setuid on kFreeBSD or on
> Hurd, and I did not want to go into details in the template text.

If I'm understanding this the right way round, you're proposing the
following unified diff:

> --- templates.svn-base	2010-06-19 23:19:17.000000000 +0100
> +++ templates	2010-06-19 23:19:18.000000000 +0100
> @@ -10,12 +10,15 @@
>  Template: wireshark-common/install-setuid
>  Type: boolean
>  Default: false
> -_Description: Should dumpcap be installed "setuid root"?
> - Dumpcap can be installed with the set-user-id bit set, so members of
> - the "wireshark" system group will have the privileges required to use it.
> +_Description: Should non-superusers be able to capture packets?
> + Dumpcap can be installed in a way that allows members of the "wireshark"
> + system group to capture packets. 
>   This way of capturing packets using Wireshark/Tshark is recommended
>   over the alternative of running them directly as superuser, because
>   less of the code will run with elevated privileges.
>   .
> + For more detailed information please see 
> + /usr/share/doc/wireshark-common/README.Debian.
> + .
>   Enabling this feature may be a security risk, so it is disabled by
>   default. If in doubt, it is suggested to leave it disabled.

In other words it's vaguer with a pointer to the details.  I only see
one problem with the phrasing: now that you no longer define how
wireshark group members get these permissions, there's nothing to
refer back to as "This way of capturing packets".  But you can
easily just trim that as well:

  Dumpcap can be installed in a way that allows members of the "wireshark"
  system group to capture packets. This is recommended over the
  alternative of running Wireshark/Tshark directly as superuser, because
  less of the code will run with elevated privileges.
 
(Revised template attached)
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

# These templates have been reviewed by the debian-l10n-english
# team
#
# If modifications/additions/rewording are needed, please ask
# debian-l10n-english@lists.debian.org for advice.
#
# Even minor modifications require translation updates and such
# changes should be coordinated with translators and reviewers.

Template: wireshark-common/install-setuid
Type: boolean
Default: false
_Description: Should non-superusers be able to capture packets?
 Dumpcap can be installed in a way that allows members of the "wireshark"
 system group to capture packets. This is recommended over the
 alternative of running Wireshark/Tshark directly as superuser, because
 less of the code will run with elevated privileges.
 .
 For more detailed information please see 
 /usr/share/doc/wireshark-common/README.Debian.
 .
 Enabling this feature may be a security risk, so it is disabled by
 default. If in doubt, it is suggested to leave it disabled.
Reply to: