Wireshark-bugs: [Wireshark-bugs] [Bug 10406] Need better mechanisms for allowing non-privileged

Date: Fri, 22 Aug 2014 23:45:50 +0000

changed bug 10406


What Removed Added
Status UNCONFIRMED CONFIRMED
Hardware x86-64 All
Summary Can't capture from wlan interface unless run as root - but running as root gives warning Need better mechanisms for allowing non-privileged users to capture network traffic
Ever confirmed   1
OS Ubuntu All

Comment # 1 on bug 10406 from
(In reply to teo8976 from comment #0)
> Why doesn't Wireshark simply ask for the sudo password in order to acquire
> the necessary privileges when needed, just as any other program in Ubuntu
> does?

Well, first of all, root, at least with sufficiently recent Linux kernels,
includes a lot of *unnecessary* privilege; it would be preferable to run
dumpcap (the program that actually does the capturing) with CAP_NET_RAW and
CAP_NET_ADMIN.

Then there's the question of whom we're trying to protect against.

In the old days of time-sharing machines, protection mechanisms protected the
system, and other users, against malicious users.  In particular, the
administrator of a system might not want to allow arbitrary users on the
machine to, for example, capture network traffic.

However, these days, protecting against malicious users is less important on
many machines, and protecting against malicious *software* is more important.

On a personal computer, you *might* want to prohibit other users whom you're
allowing to use the machine from capturing network traffic, but, if you've
installed a network sniffer program, you probably don't want to prohibit
yourself from doing so.

The "dpkg-reconfigure wireshark-common" mechanism suggested by

   
http://anonscm.debian.org/viewvc/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian?view=markup

(as linked to by the http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
page) gives you that.

You might, however, also want to make sure that programs *other* than a few
"blessed" sniffers (tcpdump, Wireshark and its companions, Snort, etc.) don't
capture network traffic.

The "dpkg-reconfigure wireshark-common" mechanism does *not* give you that.  A
mechanism in which dumpcap isn't granted special privileges by default, and in
which Wireshark/TShark/etc. can run some helper program that runs another
program with sufficient privileges (and requires you to provide your password,
e.g. some GUI program for Wireshark and sudo for TShark/dumpcap itself) might
*somewhat* give you that, although you'd want to make sure it doesn't leave you
open to the dancing pigs problem:

    https://en.wikipedia.org/wiki/Dancing_pigs

Note that it should *NOT* run dumpcap with root privileges if it can, instead,
just grant it CAP_NET_RAW and CAP_NET_ADMIN privileges and have it able to
capture traffic.

(In the long run, perhaps libpcap should be split between device-opening and
control code, in a process that runs with whatever privileges it needs, and
hands file descriptors to the library, and a library that does what it can with
the file descriptor; that would further reduce the amount of code that needs to
run with special privileges, and might also allow other access control
mechanisms to be used, e.g. on OS X this might allow packet capture programs to
be distributed in the App Store without other App Store programs getting those
privileges.  But that's a longer-term project, and not a Wireshark project.)


You are receiving this mail because:
  • You are watching all bug changes.