Wireshark-bugs: [Wireshark-bugs] [Bug 10406] Need better mechanisms for allowing non-privileged
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 25 Aug 2014 09:34:44 +0000

changed bug 10406


What Removed Added
URL   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544482
OS All Debian
Severity Major Minor

Comment # 7 on bug 10406 from 
Hi,

This has already been reported to Debian, adding the link.

(In reply to teo8976 from comment #2)
...
> 
> 
> As an example (just out of the top of my mind, but there are many others),
> consider what happens when I run apport to report a bug. At some point it
> asks me whether I want to include some logs that contain information that
> can help developers investigate the bug - but that also may potentially
> contain sensible information. When I choose Yes, it needs some privileges to
> read those files (now I don't know whether they are root or
> somewhere-below-root privileges), so it asks me for the password. And that's
> it. Where is the risk?
> If I let a guest use my computer, and he happens to run that program, even
> by mistake, he won't be able to grant it those privileges because he needs
> my sudo password. So, no possible attack by malicious user. And how could
> any malicious software (other than the one asking for the password and
> obtaining the privileges) possibly use those privileges?
> I think the same reasoning applies to Wireshark.
> Whoever I allow to occasionally use my computer without my supervision, even
> if he runs Wireshark, won't be able to grant it the privileges for capturing
> packets when asked to, unless he knows my password. 
> 
> 
> So, that's the mechanism that all programs needing special privileges use in
> Ubuntu, and the Ubuntu packaged version of wireshark should come with that
> mechanims by default. Of course the possibility to change that in favour of
> other mechanisms based on specific needs is much appreciated.
> 
> But what certainly cannot be the default is that:
> - you run the program normally and you are unable to do the most obvious
> thing you need the program for (capturing packets of your main network
> device) 
> - at first sight you don't have the slightest clue why and may waste a lot
> of time figuring out (not my case, I simply ran it as root so I got to the
> following point) (but I guess this is also covered somewhere in the help) 
> - if you do run it as root you're told you shouldn't and you're linked to an
> 8000 characters page that you need to read and fully understand in order to
> take the right decision just to get the obvious behavior that you would
> expect in the first place 
> 
> 
> If I understand correctly, the "usual ubuntu way" which I am claiming for
> should be this one, right?:
> > A mechanism in which dumpcap isn't granted special privileges by default, and in which Wireshark/TShark/etc. can run some helper program that runs another program with sufficient privileges (and requires you to provide your password, e.g. some GUI program for Wireshark and sudo for TShark/dumpcap itself) might *somewhat* give you that,
> 
> I don't quite get why "*somewhat*".
> 
> > although you'd want to make sure it doesn't leave you open to the dancing pigs problem:
> 
> I don't see how it could. If I understand correctly, the "dancing pig
> problem" is when security relies upon some prompt that is guaranteed to be
> displayed by the system regardless of the program that triggers that prompt,
> but a (malicious) program may trick the user into choosing the wrong option
> even if it can't hide the system's prompt/warning by adding some distracting
> or confusing information. Right? But here we're talking about Wireshark and
> only Wireshark asking for a permission. How could that in any way allow any
> other program to misuse that? Perhaps I'm missing something.
Patches are welcome if they solve the problem of asking form minimal set of
needed permissions. Simply sudo is a no-go for me.

> 
> 
> As an aside note:
> 
> ""
> I./a. Installing dumpcap without allowing non-root users to capture packets
> (...)
> This is the default on Debian systems.
> 
> I./b. Installing dumpcap and allowing non-root users to capture packets
> (...)
> This is the preferred way of installation if Wireshark/Tshark will be used
> for capturing and displaying packets at the same time
> ""
> 
> I see a contraddiction here. If I./b is the preferred way (if WS will be
> used for... which is the most common case), then why isn't it the default on
> Debian systems? (or at least strongly-desktop-oriented derivatives such as
> Ubuntu)
There is no real contradiction.
The preferred way is I./a. in general. Given that Debian's Policy dictates
minimal extra rights for programs I don't see the default changing.

However, the choice between a. and b. can be shown during the installation by
bumping the question's priority.
I think it would worth a try with next upload.

> 
> 
> 
> P.S.
> 
> "The installation method can be changed any time by running:
>  dpkg-reconfigure wireshark-common"
> 
> It's not entirely clear (to me at least) whether that command will switch to
> the "I./b" mode (which is what I guess when you say "the dpkg-reconfigure
> will give you that") or it will let you choose between any of those two
> modes (which is what I'd evince from the linked page).
It will let you choose.

You are receiving this mail because:
  • You are watching all bug changes.