CS Lee wrote:
So since wireshark needs root priviledge for initial launch,
...unless you're running on an OS (such as anything using BPF) where you
can grant non-root users privileges to capture packets.
maybe we
can have wireshark drop its priviledge to other user(wireshark user
maybe),
If it can drop privileges, either
1) it can't regain them, in which case once it's done one capture, it
can't do any more
or
2) it can regain them, in which case if you can inject code into
Wireshark via a security vulnerability, that code can regain them.
However, Wireshark now uses dumpcap to do packet capture. If other
functions that require root privileges can also be done by that program,
Wireshark wouldn't need privileges - only dumpcap would need them.
See
http://wiki.wireshark.org/Development/PrivilegeSeparation
for some discussion about this.