Wireshark-dev: Re: [Wireshark-dev] [Fwd: [Wireshark-bugs] [Bug 1741] New: Privilege separation

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Wed, 15 Aug 2007 09:33:14 -0400
Joerg Mayer wrote:

On Tue, Aug 14, 2007 at 03:43:07PM -0700, Gerald Combs wrote:

I think it is best (easiest for users) to have Wireshark run as the user
who started it instead of a special user.  Compiling it to run as a new
user called wireshark or other should be an option.

As long as Wireshark is run as a regular user, that's the case with the
patch.  If Wireshark is run with elevated privileges, an attempt is made
to setuid to the user who called Wireshark. If that user turns out to be
root, then Wireshark will setuid to the special user.  It'd probably
make sense to pop up a notification dialog when this happens.
+1 for a popup. I'm sure that no matter how many times I tell people not to do it, they would not remember (old habits). 


I still think that this stuff is the wrong approach: wireshark should
not need root privileges and if you want to make sure that the program
Do you mean Wireshark the UI or the capturing part? At least on Solaris versions below 10 and Linux the capturing part must run as root. 


isn't run suid then it should check and pop up a notice that this is no
At least GTK1 disallows making the 'wireshark' binary set-uid. I tried and it complained (rightfully so) that GTK programs are too big and complicated to be set-uid so it refused to run. [That annoyed me to no end since in the test lab environment I was doing that *everyone* has root access, so I really don't care about security...] 


longer necessary and should not be done (and I don't really like that
approach as well, but it's way better than the proposed solution).s
Also, how do you intend to handle the case where someone starts
wireshark with sudo and then wants to read a capture file that's owned
by root and cannot be accessed with users privileges?
And presumably someone with "sudo wireshark" privileges may not have full root privileges with which to read that file? 

Well, I see 2 answers:
1) tell them not to "sudo" but just install 'dumpcap' set-uid and run Wireshark as themselves (the popup helps here) 2) (or) if we (Wireshark) were started as root and dropped privileges to this "wireshark" user then (later, when we create files) make the permissions on those files 666 or at least 644
(1) seems better to me but it does not help in situations where only a limited number of people have "sudo wireshark" rights
Another possibility would be to allow the non-privileged user (that Wireshark becomes after starting dumpcap) to be configured at run time. That might be messy, though.