On 06/02/19 17:31, Guy Harris wrote:
On Feb 6, 2019, at 5:06 AM, Peter Wu <peter@xxxxxxxxxxxxx> wrote:
On Wed, Feb 06, 2019 at 12:46:20PM +0000, João Valverde wrote:
I have some doubts about the effectiveness and usefulness of this Lua
sandbox. I didn't investigate in depth but it seems enabling/disabling the
Lua runtime instead would be better, as dictated by policy (whatever that
policy is).
Setting "enable_lua = false" (formerly "disable_lua = true") already
prevents further Lua code from being executed. Likewise when
"run_user_scripts_when_superuser" is false and when started as root.
I also question the utility of disabling the API, hence these patches:
wslua: do not load console.lua when run as root
https://code.wireshark.org/review/31912
wslua: do not partially disable the Lua API when run as root
https://code.wireshark.org/review/31913
The first patch can be safely be backported and should fix the issue
raised by Kali Linux users. Worst-case, it disables the GUI menu option,
but it has no effect otherwise.
The second patch removes the security theatre, but depends on the first
patch to effectively restrict execution of arbitrary user-supplied code.
It enables arbitrary execution of user-supplied code by default since
those who execute "tshark -Xlua_script:foo.lua" as root user (or via
sudo) will expect it to work.
Finally, note that "started_with_special_privs()" also returns TRUE even
if the current user has no more privileges. Even if the Wireshark or
tshark executables were setuid root, these root privileges have already
been dropped via "relinquish_special_privs_perm()", long before it ever
gets to the Lua code.
OK, so Wireshark and TShark are normally run in some form of user session, whether it's a GUI session or not; in those sessions, there's normally credentials (user and groups) for the logged-in user.
(...)
So the question is whether we should print/pop up a message if TShark/Wireshark is running as root - and, if we do, whether we should have a compile or configuration option to disable that, so it can be disabled on Kali Linux or other OSes where you don't have much of a choice about whether to run them as root.
I think a warning for "running Wireshark/tshark as root is dangerous" is
very appropriate. There is a legitimate discussion to be had on whether
it should be more or less forceful and what to do about Kali.
But throwing a Lua runtime exception for root is not such a warning.
That's just a bug in my opinion.
Furthermore if a user builds Wireshark without Lua no warning is emitted.