JP Abgrall | 511eca3 | 2014-02-12 13:46:45 -0800 | [diff] [blame] | 1 | As with other systems using BPF, Mac OS X allows users with read access |
| 2 | to the BPF devices to capture packets with libpcap and allows users with |
| 3 | write access to the BPF devices to send packets with libpcap. |
| 4 | |
| 5 | On some systems that use BPF, the BPF devices live on the root file |
| 6 | system, and the permissions and/or ownership on those devices can be |
| 7 | changed to give users other than root permission to read or write those |
| 8 | devices. |
| 9 | |
| 10 | On newer versions of FreeBSD, the BPF devices live on devfs, and devfs |
| 11 | can be configured to set the permissions and/or ownership of those |
| 12 | devices to give users other than root permission to read or write those |
| 13 | devices. |
| 14 | |
| 15 | On Mac OS X, the BPF devices live on devfs, but the OS X version of |
| 16 | devfs is based on an older (non-default) FreeBSD devfs, and that version |
| 17 | of devfs cannot be configured to set the permissions and/or ownership of |
| 18 | those devices. |
| 19 | |
| 20 | Therefore, we supply: |
| 21 | |
| 22 | a "startup item" for older versions of Mac OS X; |
| 23 | |
| 24 | a launchd daemon for Tiger and later versions of Mac OS X; |
| 25 | |
| 26 | Both of them will change the ownership of the BPF devices so that the |
| 27 | "admin" group owns them, and will change the permission of the BPF |
| 28 | devices to rw-rw----, so that all users in the "admin" group - i.e., all |
| 29 | users with "Allow user to administer this computer" turned on - have |
| 30 | both read and write access to them. |
| 31 | |
| 32 | The startup item is in the ChmodBPF directory in the source tree. A |
| 33 | /Library/StartupItems directory should be created if it doesn't already |
| 34 | exist, and the ChmodBPF directory should be copied to the |
| 35 | /Library/StartupItems directory (copy the entire directory, so that |
| 36 | there's a /Library/StartupItems/ChmodBPF directory, containing all the |
| 37 | files in the source tree's ChmodBPF directory; don't copy the individual |
| 38 | items in that directory to /Library/StartupItems). The ChmodBPF |
| 39 | directory, and all files under it, must be owned by root. Installing |
| 40 | the files won't immediately cause the startup item to be executed; it |
| 41 | will be executed on the next reboot. To change the permissions before |
| 42 | the reboot, run |
| 43 | |
| 44 | sudo SystemStarter start ChmodBPF |
| 45 | |
| 46 | The launchd daemon is the chmod_bpf script, plus the |
| 47 | org.tcpdump.chmod_bpf.plist launchd plist file. chmod_bpf should be |
| 48 | installed in /usr/local/bin/chmod_bpf, and org.tcpdump.chmod_bpf.plist |
| 49 | should be installed in /Library/LaunchDaemons. chmod_bpf, and |
| 50 | org.tcpdump.chmod_bpf.plist, must be owned by root. Installing the |
| 51 | script and plist file won't immediately cause the script to be executed; |
| 52 | it will be executed on the next reboot. To change the permissions |
| 53 | before the reboot, run |
| 54 | |
| 55 | sudo /usr/local/bin/chmod_bpf |
| 56 | |
| 57 | or |
| 58 | |
| 59 | sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist |
| 60 | |
| 61 | If you want to give a particular user permission to access the BPF |
| 62 | devices, rather than giving all administrative users permission to |
| 63 | access them, you can have the ChmodBPF/ChmodBPF script change the |
| 64 | ownership of /dev/bpf* without changing the permissions. If you want to |
| 65 | give a particular user permission to read and write the BPF devices and |
| 66 | give the administrative users permission to read but not write the BPF |
| 67 | devices, you can have the script change the owner to that user, the |
| 68 | group to "admin", and the permissions to rw-r-----. Other possibilities |
| 69 | are left as an exercise for the reader. |
| 70 | |
| 71 | (NOTE: due to a bug in Snow Leopard, if you change the permissions not |
| 72 | to grant write permission to everybody who should be allowed to capture |
| 73 | traffic, non-root users who cannot open the BPF devices for writing will |
| 74 | not be able to capture outgoing packets.) |