Wireshark-dev: Re: [Wireshark-dev] [Fwd: [Wireshark-bugs] [Bug 1741] New: Privilege separation
From: Gerald Combs <[email protected]>
Date: Wed, 15 Aug 2007 09:33:05 -0700
Jeff Morriss wrote:
> Joerg Mayer wrote:
>> On Tue, Aug 14, 2007 at 03:43:07PM -0700, Gerald Combs wrote:
>>>> I think it is best (easiest for users) to have Wireshark run as the user
>>>> who started it instead of a special user.  Compiling it to run as a new
>>>> user called wireshark or other should be an option.
>>> As long as Wireshark is run as a regular user, that's the case with the
>>> patch.  If Wireshark is run with elevated privileges, an attempt is made
>>> to setuid to the user who called Wireshark. If that user turns out to be
>>> root, then Wireshark will setuid to the special user.  It'd probably
>>> make sense to pop up a notification dialog when this happens.
> 
> +1 for a popup.  I'm sure that no matter how many times I tell people 
> not to do it, they would not remember (old habits).
> 
>> I still think that this stuff is the wrong approach: wireshark should
>> not need root privileges and if you want to make sure that the program

> Do you mean Wireshark the UI or the capturing part?  At least on Solaris 
> versions below 10 and Linux the capturing part must run as root.

That's exactly the problem I'm trying to solve.  Ever since the initial
release, the standard practice for capturing on Unix/Linux systems has
included the step "start Wireshark (or Ethereal) as root."  Our own
User's Guide tells you to run Wireshark as root.  There's a Wireshark
launcher for OS X that fires up X11 and runs Wireshark as root.  This
practice is wrong, and it must stop.

Just to be clear: *This patch does not run Wireshark as root*.  Just the
opposite, in fact.  If Wireshark catches you running it as root, it
drops privileges *immediately*.

>> isn't run suid then it should check and pop up a notice that this is no
> 
> At least GTK1 disallows making the 'wireshark' binary set-uid.  I tried 
> and it complained (rightfully so) that GTK programs are too big and 
> complicated to be set-uid so it refused to run.  [That annoyed me to no 
> end since in the test lab environment I was doing that *everyone* has 
> root access, so I really don't care about security...]
> 
>> longer necessary and should not be done (and I don't really like that
>> approach as well, but it's way better than the proposed solution).s
>> Also, how do you intend to handle the case where someone starts
>> wireshark with sudo and then wants to read a capture file that's owned
>> by root and cannot be accessed with users privileges?
> 
> And presumably someone with "sudo wireshark" privileges may not have 
> full root privileges with which to read that file?
> 
> Well, I see 2 answers:
> 
> 1) tell them not to "sudo" but just install 'dumpcap' set-uid and run 
> Wireshark as themselves (the popup helps here)

This is exactly what my proposed patch allows.  In this case, there
would be no popup.

> 2) (or) if we (Wireshark) were started as root and dropped privileges to 
> this "wireshark" user then (later, when we create files) make the 
> permissions on those files 666 or at least 644

I'm not sure this is a good idea.  Setting og+r on the capture files
would be a disclosure risk.  If Wireshark drops privileges to the
"wireshark" user, it means someone went out of their way do to run
Wireshark incorrectly, either by running it as root, or by manually
making the executable setuid root.