On 05/02/19 23:50, Guy Harris wrote:
On Feb 5, 2019, at 2:52 PM, João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx> wrote:
On 05/02/19 16:48, Dario Lombardo wrote:
Possible solutions:
- don't enable this error for console.lua
By which you presumably mean something more general, such as "don't enable this error for scripts that are distributed as part of Wireshark".
Something like that, but...
The risk with Lua scripts is privilege escalation, meaning running user
writable Lua scripts as root. If Wireshark is installed with
user-privileges to a user writable prefix, for example PREFIX=/home, and
executed with root privileges then that risk still exists for scripts
distributed as part of Wireshark and installed to $libdir (but the same
is true for binary plugins).
- don't try to run dofile(console.lua) if the user is root
See previous comment, plus "is there a reason not to run console.lua if the user is root"?
Or do you mean "run it with something other than dofile()" (which just removes the "plus" part)?
I meant not load it at all with UID 0. Not sure what you are asking
here. Doing that will disable some GUI features, this may or may not be
acceptable.