On Tue, Feb 05, 2019 at 10:10:38AM -0800, Guy Harris wrote:
> On Feb 5, 2019, at 8:48 AM, Dario Lombardo <lomato@xxxxxxxxx> wrote:
>
> > I know that the problem is how kali runs wireshark (as root) and that it should be avoided, but this is how kali works
>
> Kali Linux has no user accounts, so you log in as root and thus everything runs as root?
That is correct:
https://docs.kali.org/policy/kali-linux-root-user-policy
The linked post workarounds an error on starting Wireshark by commenting
out the dofile call in init.lua (since it would fail anyway). Possible
approaches on fixing this error includes:
- Check for running_superuser before trying loading console.lua.
- Remove the superuser restriction for dofile.
- Remove the superuser restrictions completely and permit access to the
full Lua API (including os.execute, io.open, require, etc.)
The first option has a similar effect as the suggested workaround.
The second option is shipped by Fedora since 2009:
https://src.fedoraproject.org/cgit/rpms/wireshark.git/tree/wireshark-0001-enable-Lua-support.patch
The last option would permit *users* to invoke arbitrary commands as
root if they run Wireshark with sudo or as root user. I think that might
not be a bad idea after all:
- Plugins (.so) can already be loaded, even when running as root.
Limiting Lua only provides a limited form of "security" since you can
already execute arbitrary code via C plugins.
- The Lua check was added in commit f4c227852c (March 2006). At that
time, tshark or wireshark might have required setuid root for capture
privileges. This was changed in commit 92802883a6 (August 2007).
- Downstream distributions like Fedora have already patched their
systems to permit dofile. (but still limit require, os, etc.)
Proposal:
- Remove the "disable potentialy [sic] harmful lua functions" patch
assuming that users know what they are doing when running
tshark/wireshark as root.
- Set "run_user_scripts_when_superuser" to true by default, enabling
root users to load scripts via the "-Xlua_script" option. Those who
would like to limit Lua support when running as root could change this
variable anyway.
--
Kind regards,
Peter Wu
https://lekensteyn.nl