• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1As with other systems using BPF, macOS allows users with read access to
2the BPF devices to capture packets with libpcap and allows users with
3write access to the BPF devices to send packets with libpcap.
4
5On some systems that use BPF, the BPF devices live on the root file
6system, and the permissions and/or ownership on those devices can be
7changed to give users other than root permission to read or write those
8devices.
9
10On newer versions of FreeBSD, the BPF devices live on devfs, and devfs
11can be configured to set the permissions and/or ownership of those
12devices to give users other than root permission to read or write those
13devices.
14
15On macOS, the BPF devices live on devfs, but the macOS version of devfs
16is based on an older (non-default) FreeBSD devfs, and that version of
17devfs cannot be configured to set the permissions and/or ownership of
18those devices.
19
20Therefore, we supply:
21
22	a "startup item" for older versions of macOS;
23
24	a launchd daemon for Tiger and later versions of macOS;
25
26Both of them will change the ownership of the BPF devices so that the
27"admin" group owns them, and will change the permission of the BPF
28devices to rw-rw----, so that all users in the "admin" group - i.e., all
29users with "Allow user to administer this computer" turned on - have
30both read and write access to them.
31
32The startup item is in the ChmodBPF directory in the source tree.  A
33/Library/StartupItems directory should be created if it doesn't already
34exist, and the ChmodBPF directory should be copied to the
35/Library/StartupItems directory (copy the entire directory, so that
36there's a /Library/StartupItems/ChmodBPF directory, containing all the
37files in the source tree's ChmodBPF directory; don't copy the individual
38items in that directory to /Library/StartupItems).  The ChmodBPF
39directory, and all files under it, must be owned by root.  Installing
40the files won't immediately cause the startup item to be executed; it
41will be executed on the next reboot.  To change the permissions before
42the reboot, run
43
44	sudo SystemStarter start ChmodBPF
45
46The launchd daemon is the chmod_bpf script, plus the
47org.tcpdump.chmod_bpf.plist launchd plist file.  chmod_bpf should be
48installed in /usr/local/bin/chmod_bpf, and org.tcpdump.chmod_bpf.plist
49should be installed in /Library/LaunchDaemons.  chmod_bpf, and
50org.tcpdump.chmod_bpf.plist, must be owned by root.  Installing the
51script and plist file won't immediately cause the script to be executed;
52it will be executed on the next reboot.  To change the permissions
53before the reboot, run
54
55	sudo /usr/local/bin/chmod_bpf
56
57or
58
59	sudo launchctl load /Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist
60
61If you want to give a particular user permission to access the BPF
62devices, rather than giving all administrative users permission to
63access them, you can have the ChmodBPF/ChmodBPF script change the
64ownership of /dev/bpf* without changing the permissions.  If you want to
65give a particular user permission to read and write the BPF devices and
66give the administrative users permission to read but not write the BPF
67devices, you can have the script change the owner to that user, the
68group to "admin", and the permissions to rw-r-----.  Other possibilities
69are left as an exercise for the reader.
70
71(NOTE: due to a bug in Snow Leopard, if you change the permissions not
72to grant write permission to everybody who should be allowed to capture
73traffic, non-root users who cannot open the BPF devices for writing will
74not be able to capture outgoing packets.)
75