Wireshark-bugs: [Wireshark-bugs] [Bug 7672] New: dumpcap gives up write privileges too early

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 29 Aug 2012 05:29:18 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7672

           Summary: dumpcap gives up write privileges too early
           Product: Wireshark
           Version: 1.8.2
          Platform: x86
        OS/Version: Fedora
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: TShark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: jsafrane@xxxxxxxxxx


Jan Šafránek <jsafrane@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #9011|                            |review_for_checkin?
              Flags|                            |

Created attachment 9011
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9011
proposed patch

Build Information:
TShark 1.8.2 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.4, with libpcap, with libz 1.2.5, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.7.5, with Lua 5.1, with
Python 2.7.3, with GnuTLS 2.12.17, with Gcrypt 1.5.0, with MIT Kerberos, with
GeoIP.

Running on Linux 3.5.2-1.fc17.x86_64, with locale en_US.UTF-8, with libpcap
version 1.2.1, with libz 1.2.5.

Built using gcc 4.7.0 20120507 (Red Hat 4.7.0-5).

--
On Fedora, we use NET_RAW and NET_ADMIN capabilities of /usr/sbin/dumpcap. When
root starts tshark -w file.pcap, dumpcap is forked and it relinquishes all it's
privileges *before* it opens file.pcap.

I.e. even though tshark/dumpcap was started by root, it cannot write its output
to read-only directories. This is something that root users don't expect.

There is a comment in dumpcap.c:main():

    /* 3. Running logged in as root (euid=0; ruid=0). Using libcap.      */
    /*    Action:                                                        */
    /*      - Near start of program: Enable NET_RAW and NET_ADMIN        */
    /*        capabilities; Drop all other capabilities;                 */
    /*      - If not -w  (ie: doing -S or -D, etc) run to completion;    */
    /*        else: after  pcap_open_live() in capture_loop_open_input() */
    /*         drop all capabilities (NET_RAW and NET_ADMIN);            */
    /*         (Note: this means that the process, although logged in    */
    /*          as root, does not have various permissions such as the   */
    /*          ability to bypass file access permissions).              */
    /*      XXX: Should we just leave capabilities alone in this case    */
    /*          so that user gets expected effect that root can do       */
    /*          anything ??                                              */

XXX has good point here. Attached patch moves the capabilities manipulation
after the output file was opened.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.