I’m looking at creating a snap for wireshark. It shouldn’t be a big surprise that it does some unusual things!
I’ve got wireshark itself working in strict mode (by connecting all network related interfaces - it still needs narrowing down to what is actually required), but only when running as root.
One of the things the Debian packaging does is to (optionally) allow non superusers the capability to capture packets. It does this by defining a wireshark group, then using setcap cap_net_raw,cap_net_admin=eip on its dumpcap executable. Only users in the wireshark group have executable permissions for dumpcap.
Is there anything that I can do to allow regular users to run the wireshark snap?
fscaps aren’t supported currently. For a non-service application, there isn’t currently a way to achieve what you are asking. If your snap was restructured to have a daemon execute the privileged commands, then you could conceivably have a non-root client talk to it over a mediated socket (where the daemon checks group membership), but I’m not sure how feasible that is for wireshark.
@jdstrand is your answer still current? No support for fscaps in snaps? I have the same exact caps as @ralight that I’d like to set and setting up a daemon for the app to function properly on Linux seems like a hassle…
