Wireshark-users: Re: [Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root
From: Hank Leininger <[email protected]>
Date: Wed, 14 Feb 2007 17:59:08 -0500
On Tue, Feb 13, 2007 at 08:38:59AM +0100, Ulf Lamping wrote:
> Hank Leininger wrote:
> >
> >While on a plane back home I whipped up the attached patch to dumpcap to
> >drop elevated privileges as soon as the pcap socket has been opened.
> >Then I can create a 'sniffer' group, and chgrp sniffer, chmod 4110 the
> >dumpcap binary.  Tested for a whole five minutes, seems to work fine:
> 
> I've spend a lot of time to carve out dumpcap into it's own process, to 
> make things you've explained actually possible. Please note that the 

Cool.  I realized as I was reading up, that dumpcap separation seemed to
be a somewhat recent thing.

> Wireshark/dumpcap combination misses some things like the capture live 
> list and alike, which currently will call pcap functions directly. 

Hm, I'm afraid I'm too much of a wireshark n00b to know what you mean by
'capture live list'.  I didn't find anything by that name in the 0.99.5
sources.  Anyway, are these cases where you know there is some design
problem with migrating them to using dumpcap, or just cases where the
migration work isn't done yet, but is somewhere on the roadmap?

> As I'm a Win32 developer, I won't tweak the UNIX specific things and 
> need help from other UNIX developers. Unfortunately, NONE of the UNIX 
> developer found the time / motivation to spend some time on this topic.
> 
> So basically I've dropped my effort on this completely, as I found no 
> assistance to this - only complains "when will it be finished" - which 
> is not really motivating in itself ...

Hah!  Indeed not :(  Well, I can't promise massive time nor skills, but
will try to help if I can, as this is definitely valuable to me.  For a
first step:

> BTW: your patch will break Win32 compatibility, as setgid and alike 
> doesn't exist on Win32 (and probably not on all UNIX derivates we 
> support as well) - a simple #ifndef _WIN32 will solve this (for WIN32, 
> but probably not for other UNIXes).

Attached is an updated patch that adds those ifdef's.  I'm fairly sure
this will work for any UNIX that's even vaguely POSIX-compliant, but if
one comes up I'll be happy to work on it.

Note, this patch does not necessarily make it safe to give an untrusted
user the ability to run a +s'ed dumpcap.  I _think_ that the "magic pipe
open" support in capture_loop_open_input (which is necessarily called
before privs are dropped) can be abused to read root-only files, etc,
and possibly worse.  I may try to address that next :-P

Thanks,

Hank Leininger <[email protected]>
F980 A584 5175 1996 DD7E  C47B 1A71 105C CB44 CBF8
--- wireshark-0.99.5/capture_loop.c	2007-02-01 18:01:47.000000000 -0500
+++ wireshark-0.99.5-hap/capture_loop.c	2007-02-14 17:55:09.000000000 -0500
@@ -1271,6 +1271,14 @@
     goto error;
   }
 
+#ifndef _WIN32
+  if (setgid(getgid()) != 0 || setuid(getuid()) != 0) {
+    g_snprintf(errmsg, sizeof(errmsg), "error dropping privileges: %s", strerror(errno));
+    *secondary_errmsg = '\0';
+    goto error;
+  }
+#endif /* _WIN32 */
+
   /* init the input filter from the network interface (capture pipe will do nothing) */
   switch (capture_loop_init_filter(ld.pcap_h, ld.from_cap_pipe, capture_opts->iface, capture_opts->cfilter)) {
 

Attachment: pgp34sGCYNJA_.pgp
Description: PGP signature