|
Packit |
209cc3 |
As with other systems using BPF, macOS allows users with read access to
|
|
Packit |
209cc3 |
the BPF devices to capture packets with libpcap and allows users with
|
|
Packit |
209cc3 |
write access to the BPF devices to send packets with libpcap.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
On some systems that use BPF, the BPF devices live on the root file
|
|
Packit |
209cc3 |
system, and the permissions and/or ownership on those devices can be
|
|
Packit |
209cc3 |
changed to give users other than root permission to read or write those
|
|
Packit |
209cc3 |
devices.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
|
|
Packit |
209cc3 |
can be configured to set the permissions and/or ownership of those
|
|
Packit |
209cc3 |
devices to give users other than root permission to read or write those
|
|
Packit |
209cc3 |
devices.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
On macOS, the BPF devices live on devfs, but the macOS version of devfs
|
|
Packit |
209cc3 |
is based on an older (non-default) FreeBSD devfs, and that version of
|
|
Packit |
209cc3 |
devfs cannot be configured to set the permissions and/or ownership of
|
|
Packit |
209cc3 |
those devices.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Therefore, we supply:
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
a "startup item" for older versions of macOS;
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
a launchd daemon for Tiger and later versions of macOS;
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
Both of them will change the ownership of the BPF devices so that the
|
|
Packit |
209cc3 |
"admin" group owns them, and will change the permission of the BPF
|
|
Packit |
209cc3 |
devices to rw-rw----, so that all users in the "admin" group - i.e., all
|
|
Packit |
209cc3 |
users with "Allow user to administer this computer" turned on - have
|
|
Packit |
209cc3 |
both read and write access to them.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
The startup item is in the ChmodBPF directory in the source tree. A
|
|
Packit |
209cc3 |
/Library/StartupItems directory should be created if it doesn't already
|
|
Packit |
209cc3 |
exist, and the ChmodBPF directory should be copied to the
|
|
Packit |
209cc3 |
/Library/StartupItems directory (copy the entire directory, so that
|
|
Packit |
209cc3 |
there's a /Library/StartupItems/ChmodBPF directory, containing all the
|
|
Packit |
209cc3 |
files in the source tree's ChmodBPF directory; don't copy the individual
|
|
Packit |
209cc3 |
items in that directory to /Library/StartupItems). The ChmodBPF
|
|
Packit |
209cc3 |
directory, and all files under it, must be owned by root. Installing
|
|
Packit |
209cc3 |
the files won't immediately cause the startup item to be executed; it
|
|
Packit |
209cc3 |
will be executed on the next reboot. To change the permissions before
|
|
Packit |
209cc3 |
the reboot, run
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
sudo SystemStarter start ChmodBPF
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
The launchd daemon is the chmod_bpf script, plus the
|
|
Packit |
209cc3 |
org.tcpdump.chmod_bpf.plist launchd plist file. chmod_bpf should be
|
|
Packit |
209cc3 |
installed in /usr/local/bin/chmod_bpf, and org.tcpdump.chmod_bpf.plist
|
|
Packit |
209cc3 |
should be installed in /Library/LaunchDaemons. chmod_bpf, and
|
|
Packit |
209cc3 |
org.tcpdump.chmod_bpf.plist, must be owned by root. Installing the
|
|
Packit |
209cc3 |
script and plist file won't immediately cause the script to be executed;
|
|
Packit |
209cc3 |
it will be executed on the next reboot. To change the permissions
|
|
Packit |
209cc3 |
before the reboot, run
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
sudo /usr/local/bin/chmod_bpf
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
or
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
If you want to give a particular user permission to access the BPF
|
|
Packit |
209cc3 |
devices, rather than giving all administrative users permission to
|
|
Packit |
209cc3 |
access them, you can have the ChmodBPF/ChmodBPF script change the
|
|
Packit |
209cc3 |
ownership of /dev/bpf* without changing the permissions. If you want to
|
|
Packit |
209cc3 |
give a particular user permission to read and write the BPF devices and
|
|
Packit |
209cc3 |
give the administrative users permission to read but not write the BPF
|
|
Packit |
209cc3 |
devices, you can have the script change the owner to that user, the
|
|
Packit |
209cc3 |
group to "admin", and the permissions to rw-r-----. Other possibilities
|
|
Packit |
209cc3 |
are left as an exercise for the reader.
|
|
Packit |
209cc3 |
|
|
Packit |
209cc3 |
(NOTE: due to a bug in Snow Leopard, if you change the permissions not
|
|
Packit |
209cc3 |
to grant write permission to everybody who should be allowed to capture
|
|
Packit |
209cc3 |
traffic, non-root users who cannot open the BPF devices for writing will
|
|
Packit |
209cc3 |
not be able to capture outgoing packets.)
|