Wireshark-dev: Re: [Wireshark-dev] wireshark multi-platform setup memos

From: John Sullivan <jsethdev@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Sep 2008 19:34:34 +0100
On Wednesday, September 24, 2008, 6:51:17 AM, Xiao Li wrote:
> Oh, I didn't know the trick of modifying the permission of dumpcap
> -Thanks for pointing this out.

If you setuid root dumpcap, you should probably make sure it's chowned
to root and chgrp it to a limited supplementary group containing only
those non-root users who should be able to capture, then use chmod it
mode 04750 (-rwsr-x---). (In that order, or the setuid bit will get
reset.) Unless you trust "nobody" and "webuser" of course...

(Incidentally, some distributions such as Fedora symlink
/usr/bin/wireshark to consolehelper or a similar GUI app which asks
for a root password to elevate the main wireshark process. The real
binary is put into /usr/sbin/wireshark. I find setuiding dumpcap and
resetting the symlink direct to the real wireshark binary much better.
Wireshark just doesn't work very well when its config file keeps
switching between root's and yours. I've tried pointing consolehelper
at dumpcap itself, but even after a bunch of fiddly config, that
appears to fail. Missing file descriptors by the time dumpcap gets
control, I think.)

> On Wed, Sep 24, 2008 at 12:50 AM, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
>> You state that you need root access to build and run Wireshark. That is untrue
>> and potentially dangerous. First of all leave it out of the build, so:
>>
>> ... execute "./autogen.sh && ./configure" in command line....
>>
>> You can run Wireshark straight up, without becoming root, to read in capture
>> files. If you want to capture you can modify the permissions of dumpcap, the
>> capture utility, to setuid root. Then Wireshark can capture, without becoming root.

This is fine for capturing post-install, but I haven't found a way to
run wireshark direct from the build directory as non-root yet still be
able to capture.

(The problem being that running from the build dir uses a whole bunch
of LD_LIBRARY_PATH magic to make sure that you pick up the shared
libraries you've just built not the system ones, and that conflicts
with the suidness of dumpcap.)

John
-- 
Dead stars still burn