Wireshark-dev: [Wireshark-dev] Lua error while running Wireshark as root (was: Re: Wireshark on

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Tue, 5 Feb 2019 23:07:25 +0100
On Tue, Feb 05, 2019 at 10:10:38AM -0800, Guy Harris wrote:
> On Feb 5, 2019, at 8:48 AM, Dario Lombardo <lomato@xxxxxxxxx> wrote:
> 
> > I know that the problem is how kali runs wireshark (as root) and that it should be avoided, but this is how kali works
> 
> Kali Linux has no user accounts, so you log in as root and thus everything runs as root?

That is correct:
https://docs.kali.org/policy/kali-linux-root-user-policy

The linked post workarounds an error on starting Wireshark by commenting
out the dofile call in init.lua (since it would fail anyway). Possible
approaches on fixing this error includes:

 - Check for running_superuser before trying loading console.lua.
 - Remove the superuser restriction for dofile.
 - Remove the superuser restrictions completely and permit access to the
   full Lua API (including os.execute, io.open, require, etc.)

The first option has a similar effect as the suggested workaround.
The second option is shipped by Fedora since 2009:
https://src.fedoraproject.org/cgit/rpms/wireshark.git/tree/wireshark-0001-enable-Lua-support.patch

The last option would permit *users* to invoke arbitrary commands as
root if they run Wireshark with sudo or as root user. I think that might
not be a bad idea after all:

 - Plugins (.so) can already be loaded, even when running as root.
   Limiting Lua only provides a limited form of "security" since you can
   already execute arbitrary code via C plugins.
 - The Lua check was added in commit f4c227852c (March 2006). At that
   time, tshark or wireshark might have required setuid root for capture
   privileges. This was changed in commit 92802883a6 (August 2007).
 - Downstream distributions like Fedora have already patched their
   systems to permit dofile. (but still limit require, os, etc.)

Proposal:

- Remove the "disable potentialy [sic] harmful lua functions" patch
  assuming that users know what they are doing when running
  tshark/wireshark as root.
- Set "run_user_scripts_when_superuser" to true by default, enabling
  root users to load scripts via the "-Xlua_script" option. Those who
  would like to limit Lua support when running as root could change this
  variable anyway.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl