Wireshark-dev: Re: [Wireshark-dev] Bug 2288: "Selecting multiple files...": Advice/thoughts req

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 22 Feb 2008 18:23:48 -0800

On Feb 22, 2008, at 2:48 PM, Bill Meier wrote:

(I would normally have posted the analysis here, but since I started the analysis in the bug comments, I decided to continue the analysis there).

I'll respond to it here:

1. The problem as originally reported exists and can be seen by starting a wireshark capture to a file in a directory for which the user does not have
write permission.

The popup window says only: "Child capture process exited: exit status 2"

Stderr shows:
16:34:47 Warn Unknown message from dumpcap, try to show it as a string: Error testing whether capture file is a pipe: Permission denied"

(Would a user always see the stderr output someplace ??).

No, not necessarily. If Wireshark wasn't run from the command line, its standard error might, or might not, be sent somewhere useful. (In OS X I *think* it'd be sent to the console log file - that's true for native GUI apps, but might not be true for X-based GUI apps run from, for example, the X11.app "Applications" menu; I think it'd go down a black hole in at least some X11-based desktops; I'm not sure where it'd go on Windows.)

3. Looking at dumpcap: there are a number of messages output directly to stderr including those from errors while processing the command-line arguments. Many "should not happen" but there are a few (as above) which *can* happen during normal use of dumpcap by wireshark & tshark. In some cases these messages are output before dumpcap has even determined if it is running as a child such that (for the current code) it is too early to even determine if the 'special
format' messages are required.

4. So: what's a fix ??

I've not really worked on the "privilege separation" effort so I don't
   really understand the details of this code;
   However a solution might be as follows:

a. Determine immediately upon dumpcap start-up whether dumpcap is running as a
child. How to do this ? pre-parse the cmd-line args ?

That would be my inclination (just check for -Z, and, whenever Wireshark or TShark runs dumpcap, pass it "-Z", possibly with SIGNAL_PIPE_CTRL_ID_NONE as an argument to that flag).

b. All dumpcap stderr messages (whether perror() or cmdarg_err() or ...
   must then use the special format if dumpcap is running as a child.

Note that cmdarg_err() in dumpcap *already* checks whether it's running as a child; it just doesn't use the special format. I'd be inclined to use sync_pipe_errmsg_to_parent() in that case.

As for perror(), I'd use cmdarg_err() instead, along with strerror(errno).