Add a script to change the permissions of /dev/bpf*, and a launchd plist

for it, for Mac OS X 10.4 and later.  (The script could be useful for
BPF-based systems that don't use devfs as well.) We're not installing it
at this point; that might happen later.

1 files changed, 19 insertions, 0 deletions

diff --git a/chmod_bpf b/chmod_bpf
new file mode 100755
index 00000000..0a30d993
--- /dev/null
+++ b/chmod_bpf
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+#
+# Unfortunately, Mac OS X's devfs is based on the old FreeBSD
+# one, not the current one, so there's no way to configure it
+# to create BPF devices with particular owners or groups.
+# This startup item will make it owned by the admin group,
+# with permissions rw-rw----, so that anybody in the admin
+# group can use programs that capture or send raw packets.
+#
+# Change this as appropriate for your site, e.g. to make
+# it owned by a particular user without changing the permissions,
+# so only that user and the super-user can capture or send raw
+# packets, or give it the permissions rw-r-----, so that
+# only the super-user can send raw packets but anybody in the
+# admin group can capture packets.
+#
+chgrp admin /dev/bpf*
+chmod g+rw /dev/bpf*