How to use POSIX capabilities to allow non-root users to perform network packet capturing on Linux
... because it seemed a sensible thing to do, but I couldn't find a single concise document saying how to do it! These instructions worked for me on a recent Debian testing installation, YMMV.
For specific users (or, the right way)
- Install the tools:
sudo aptitude install libcap2-bin
Grant the necessary programs the ability to inherit the CAP_NET_RAW capability when execed:
sudo /sbin/setcap cap_net_raw+ei /usr/bin/dumpcap sudo /sbin/setcap cap_net_raw+ei /usr/sbin/tcpdump
(dumpcap is the backend used by Wireshark).
Add the pam_cap module to your authentication process, eg. add something like:
auth required pam_cap.so
... to the top of /etc/pam.d/common-auth.
Create /etc/security/capability.conf (using, for example, /usr/share/doc/libcap2-bin/examples/capability.conf), and grant the desired users the CAP_NET_RAW privilege. For example:
# needed to run packet sniffers cap_net_raw andrewb
For all users (or, the lazy/easy way)
Replace step 2 above with:
sudo /sbin/setcap cap_net_raw+ep /usr/bin/dumpcap sudo /sbin/setcap cap_net_raw+ep /usr/sbin/tcpdump
... and skip the remaining steps. This means that every time these processes are execed, they will automatically acquire the CAP_NET_RAW capability.