On Feb 22, 2008, at 2:48 PM, Bill Meier wrote:
(I would normally have posted the analysis here, but since I started
the
analysis in the bug comments, I decided to continue the analysis
there).
I'll respond to it here:
1. The problem as originally reported exists and can be seen by
starting a
wireshark capture to a file in a directory for which the user does
not have
write permission.
The popup window says only: "Child capture process exited: exit
status 2"
Stderr shows:
16:34:47 Warn Unknown message from dumpcap, try to show it
as a
string: Error testing whether capture file is a pipe: Permission
denied"
(Would a user always see the stderr output someplace ??).
No, not necessarily. If Wireshark wasn't run from the command line,
its standard error might, or might not, be sent somewhere useful. (In
OS X I *think* it'd be sent to the console log file - that's true for
native GUI apps, but might not be true for X-based GUI apps run from,
for example, the X11.app "Applications" menu; I think it'd go down a
black hole in at least some X11-based desktops; I'm not sure where
it'd go on Windows.)
3. Looking at dumpcap: there are a number of messages output
directly to stderr
including those from errors while processing the command-line
arguments. Many
"should not happen" but there are a few (as above) which *can*
happen during
normal use of dumpcap by wireshark & tshark. In some cases these
messages are
output before dumpcap has even determined if it is running as a
child such that
(for the current code) it is too early to even determine if the
'special
format' messages are required.
4. So: what's a fix ??
I've not really worked on the "privilege separation" effort so I
don't
really understand the details of this code;
However a solution might be as follows:
a. Determine immediately upon dumpcap start-up whether dumpcap is
running as a
child. How to do this ? pre-parse the cmd-line args ?
That would be my inclination (just check for -Z, and, whenever
Wireshark or TShark runs dumpcap, pass it "-Z", possibly with
SIGNAL_PIPE_CTRL_ID_NONE as an argument to that flag).
b. All dumpcap stderr messages (whether perror() or cmdarg_err()
or ...
must then use the special format if dumpcap is running as a child.
Note that cmdarg_err() in dumpcap *already* checks whether it's
running as a child; it just doesn't use the special format. I'd be
inclined to use sync_pipe_errmsg_to_parent() in that case.
As for perror(), I'd use cmdarg_err() instead, along with
strerror(errno).