Wireshark-dev: Re: [Wireshark-dev] [Fwd: [Wireshark-bugs] [Bug 1741] New: Privilege separation
From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Thu, 16 Aug 2007 01:52:12 +0200
On Wed, Aug 15, 2007 at 09:33:05AM -0700, Gerald Combs wrote:
> >> I still think that this stuff is the wrong approach: wireshark should
> >> not need root privileges and if you want to make sure that the program
> 
> > Do you mean Wireshark the UI or the capturing part?  At least on Solaris 
> > versions below 10 and Linux the capturing part must run as root.
> 
> That's exactly the problem I'm trying to solve.  Ever since the initial
> release, the standard practice for capturing on Unix/Linux systems has
> included the step "start Wireshark (or Ethereal) as root."  Our own
> User's Guide tells you to run Wireshark as root.  There's a Wireshark
> launcher for OS X that fires up X11 and runs Wireshark as root.  This
> practice is wrong, and it must stop.
> 
> Just to be clear: *This patch does not run Wireshark as root*.  Just the
> opposite, in fact.  If Wireshark catches you running it as root, it
> drops privileges *immediately*.

I am still not convinced that that's the right approach. If someone is
running wireshark as root user and root has a umask of 077 then that
user has any right to expect that he will be able to open files he
captured earlier. Also, I really don't like forcing people into such
stuff for wireshark and tshark. Dumpcap is a different thing. If you
really want to educate the users then please do exactly that, but don't
force your opinion on them. Print out a message (tshark) or pop up a
requester (wireshark) if these programs are run suid root that if they
want to run these tools as non-root users it is sufficient to suid root
dumpcap and remove suid from the other binaries (ok, that's not there
yet for tshark :) There needs to be a preference to permanently suppress
that message.

> > 1) tell them not to "sudo" but just install 'dumpcap' set-uid and run 
> > Wireshark as themselves (the popup helps here)
> 
> This is exactly what my proposed patch allows.  In this case, there
> would be no popup.

I don't mind the message (see above) but I don't like the forced drop
of privs.

Ciao
        Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.