Wireshark-bugs: [Wireshark-bugs] [Bug 2228] Stop capture doesn't work
Date: Fri, 21 Mar 2008 02:49:07 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2228





--- Comment #10 from Bill Meier <wmeier@xxxxxxxxxxx>  2008-03-21 02:48:09 GMT ---
Ok: After some research and testing into stuff rather new to me I think this is
what is happening:

Summary
-------
    On my Fedora 8 ("out of the box") system, if a process has *any*
    special capabilities, then an attempt to kill (signal)
    that process from another process w/o privileges will fail
    (whether or not the ruid and rgid of each of the two processes
    is the same).

    I would guess that this is what is being discussed
    on the linux-security-module list.

Details
-------
On my Fedora 8 system: 
1. suid ping relinquishes privileges in what I now understand to be the 
   standard way (after taking the action which requires privilege):

    <privileged action>
    /* drop privileges */
    ruid=getuid();   /* gets real uid                    */
    setuid(ruid);    /* sets both real and effective uid */

    When this is done on a system with process capabilities, the effect is
    that the suid clears all the capability sets of the process.
    Thus: kill(signal) from another process with same ruid and rgid will work.

2. The current suid dumpcap does two things before "relinquishing
   (most) privileges"

    prctl(PR_SET_KEEPCAPS, TRUE, ...);
    <enable the CAP_NET_ADMIN & CAP_NET_RAW capabilities>

    ...
    setuid(ruid);

    Net result: the process euid and egid are "normal" but the process has
    certain special privileges.

    At this point, a kill (signal) from another unprivileged process 
    (whether with the same euid & egid or not) is "not allowed".

    I don't have any real suggestions at this point....
    (I suppose one could give Wireshark the CAP_KILL capaility but this
    seems rather tricky/messy especially for systems without capset).

 ---------

Also: When using suid dumpcap with libcap
      I should note that I've now noticed that an attempt to close wireshark
      by clicking on the upper right 'x' in window ends up causing a
      loop wherein wireshark continually tries to send a SIGTERM to dumpcap
      every second or so.

      Clicking the upper right x a few more times finally causes 
      wireshark to exit.

      I've committed a small change to capture_sync.c to emit a message
      to the log if sending a signal to the child fails.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.