Wireshark · Wireshark-dev: Re: [Wireshark-dev] Wireshark on Kali linux

[João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>]

On 06/02/19 17:31, Guy Harris wrote:
> On Feb 6, 2019, at 5:06 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
>
> > On Wed, Feb 06, 2019 at 12:46:20PM +0000, João Valverde wrote:
> >
> > > I have some doubts about the effectiveness and usefulness of this Lua
> > > sandbox. I didn't investigate in depth but it seems enabling/disabling the
> > > Lua runtime instead would be better, as dictated by policy (whatever that
> > > policy is).
> >
> > Setting "enable_lua = false" (formerly "disable_lua = true") already
> > prevents further Lua code from being executed. Likewise when
> > "run_user_scripts_when_superuser" is false and when started as root.
> >
> > I also question the utility of disabling the API, hence these patches:
> >
> > wslua: do not load console.lua when run as root
> > https://code.wireshark.org/review/31912
> >
> > wslua: do not partially disable the Lua API when run as root
> > https://code.wireshark.org/review/31913
> >
> > The first patch can be safely be backported and should fix the issue
> > raised by Kali Linux users. Worst-case, it disables the GUI menu option,
> > but it has no effect otherwise.
> >
> > The second patch removes the security theatre, but depends on the first
> > patch to effectively restrict execution of arbitrary user-supplied code.
> > It enables arbitrary execution of user-supplied code by default since
> > those who execute "tshark -Xlua_script:foo.lua" as root user (or via
> > sudo) will expect it to work.
> >
> > Finally, note that "started_with_special_privs()" also returns TRUE even
> > if the current user has no more privileges. Even if the Wireshark or
> > tshark executables were setuid root, these root privileges have already
> > been dropped via "relinquish_special_privs_perm()", long before it ever
> > gets to the Lua code.
>
> OK, so Wireshark and TShark are normally run in some form of user session, whether it's a GUI session or not; in those sessions, there's normally credentials (user and groups) for the logged-in user.

(...)

> So the question is whether we should print/pop up a message if TShark/Wireshark is running as root - and, if we do, whether we should have a compile or configuration option to disable that, so it can be disabled on Kali Linux or other OSes where you don't have much of a choice about whether to run them as root.

I think a warning for "running Wireshark/tshark as root is dangerous" is 
very appropriate. There is a legitimate discussion to be had on whether 
it should be more or less forceful and what to do about Kali.

But throwing a Lua runtime exception for root is not such a warning. 
That's just a bug in my opinion.

Furthermore if a user builds Wireshark without Lua no warning is emitted.