Wireshark-commits: [Wireshark-commits] master-3.0 87f3c92: wslua: do not partially disable the Lua
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=87f3c92ed67ad80aac8ad4aad480ebe9faee576a
Submitter: "Peter Wu <peter@xxxxxxxxxxxxx>"
Changed: branch: master-3.0
Repository: wireshark
Commits:
87f3c92 by Peter Wu (peter@xxxxxxxxxxxxx):
wslua: do not partially disable the Lua API when run as root
Users should not be starting Wireshark as root user (sudo or root
login). If they do, then they can already execute arbitrary code via C
plugins, or read and write arbitrary files. Limiting the Lua API will
not really help these users to prevent breaking their system further.
Therefore remove all artificial restrictions and allow users to run
user-supplied scripts by default. If for whatever policy reason this
flag is set to false, then only Lua dissectors from the global system
directory are executed. It is their responsibility not to provide a free
root shell to the user.
Note that "running_superuser" will also be true if setuid root while the
effective and real user is no longer root. This happens due to
relinquish_special_privs_perm(). In this case, disabling the Lua API is
just annoying with no benefits.
Change-Id: Ie8a38e6160d861f02cbb70dcd1d90462153f4665
Link: https://www.wireshark.org/lists/wireshark-dev/201902/msg00004.html
Reviewed-on: https://code.wireshark.org/review/31913
Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@xxxxxxxxx>
Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
(cherry picked from commit 8d7876bace73983159237c635a988596f545c450)
Reviewed-on: https://code.wireshark.org/review/31925
Actions performed:
from 314cce7 wslua: do not load console.lua when run as root
add 87f3c92 wslua: do not partially disable the Lua API when run as root
Summary of changes:
epan/wslua/template-init.lua | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)