> > Is there any way to make ethereal work as any user without setting
> > the SUID bit on it?
Yes, if you can somehow arrange that all users get the CAP_NET_RAW
capability set on their initial processes when they log in.
I've no idea whether this can be done on any given Linux distribution,
however; it'd seem extremely, well, stupid to provide this wonderful
multiple-capability-bit mechanism in the kernel without bothering to
provide any reasonably convenient way to *use* it, e.g. some way of
enumerating an account's capability bits in "/etc/passwd" or some
auxiliary file, and code in "login" and "{x,g,k}dm" and so on to look
that information up and set the appropriate bits, but the mere fact that
something would seem stupid doesn't mean it isn't the case anyway.
(Those operating systems on which the raw packet capture mechanism works
through a device with an entry in "/dev" are a bit better off here - on
BSD, for example, you could make "/dev/bpf*" publicly-readable to allow
all users to run packet capture programs such as Ethereal and tcpdump
and i_am_an_31337_h@x0r_and_can_sniff_passwords and so on, and, on
Solaris, at least, you can make the appropriate devices for various
network interfaces, such as "/dev/le" or "/dev/hme", readable and
writable.
See the man page for tcpdump, at the beginning, for full details,
although note that when it claims that read access is all that's
required on the devices in Solaris, they're mistaken, as libpcap opens
the devices for reading and writing.)
