[Bug 349782] New: AUDIT-0: wireshark - setuid installation
https://bugzilla.novell.com/show_bug.cgi?id=349782 Summary: AUDIT-0: wireshark - setuid installation Product: openSUSE 11.0 Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: prusnak@novell.com QAContact: qa@suse.de Found By: --- ---8<------8<------8<------8<------8<------8<------8<------8<---
From http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging:
In versions up to and including 0.99.6, it was necessary to run Wireshark with elevated privileges in order to be able to capture traffic. With version 0.99.7, all function calls that require elevated privileges have been moved out of the GUI to dumpcap. WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT. There are two configure-time options on non-Windows systems that affect the privileges a normal user needs to capture traffic and list interfaces: "--enable-setuid-install" and "--with-libcap". Setting "--enable-setuid-install" to "yes" will install TShark and dumpcap setuid root. This is necessary for non-root users to be able to capture on most systems, e.g. on Linux or FreeBSD if the user doesn't have permissions to access /dev/bpf*. It is disabled by default. If the "--with-libcap" option is enabled, dumpcap will try to drop any setuid privileges it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW capabilities. It is enabled by default, and requires the Linux capabilities library. Additionally, warnings are now displayed when Wireshark and TShark are run as root. ---8<------8<------8<------8<------8<------8<------8<------8<--- Should I package tshark and dumpcap as setuid or leave it as it is? (Meaning that user has to run wireshark GUI as root to be able to capture packets from interfaces). If you decide for the change, please change the permissions file accordingly (/usr/bin/{dumpcap,tshark}). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c1 Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |krahmer@novell.com --- Comment #1 from Sebastian Krahmer <krahmer@novell.com> 2008-02-04 02:59:36 MST --- I dont think we want to have wireshark or its helper binaries setuid. They link to a lot of libraries; users shouldnt be able to sniff traffic anyways. Wireshark is probably a good candidate for something like a chroot. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c2 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Marcus Meissner <meissner@novell.com> 2008-03-31 03:35:11 MST --- -> no setuid for wireshark due to bad record. just use wireshark as root -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User prusnak@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c3 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #3 from Pavol Rusnak <prusnak@novell.com> 2008-03-31 10:25:57 MST --- Gentoo has following flags for wireshark binaries: -r-sr-s--- 1 root wireshark 46848 2008-03-16 19:21 /usr/bin/dumpcap -rwxr-xr-x 1 root root 67552 2008-03-16 19:21 /usr/bin/rawshark -r-sr-s--- 1 root wireshark 162200 2008-03-16 19:21 /usr/bin/tshark -rwxr-xr-x 1 root root 1318388 2008-03-16 19:21 /usr/bin/wireshark So user has to be in group wireshark in order to sniff traffic. What about this solution? PS: Wireshark now prints message box "Running as user 'root' and group 'root. This could be dangerous' when running as root. Fortunately this dialog also contains checkbox "Don't show this message again." :)) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User krahmer@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c4 --- Comment #4 from Sebastian Krahmer <krahmer@novell.com> 2008-04-01 05:40:00 MST --- it sounds plain stupid to me making network sniffers setuid root. Theres a reason to drop privileges to nobody after opening packet socket etc, but only root should invoke such tools, e.g. theres no need for a s bit. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2008-04-01 06:13:05 MST --- Well, it does make sense to run the gui (which does the error prone packet disassembly) as non-root. That goal is reached by the s-bit. With that bit however there is no authentication of the privileged operation anymore. I am not convinced by the group approach either. Although we have a similar case already, mtr. It's setuid root for group dialout. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c6 --- Comment #6 from Michal Marek <mmarek@novell.com> 2008-04-01 06:21:00 MST --- What about patching the gui to run xdg-su -c '/usr/bin/rawshark ...'? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c7 --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2008-04-01 06:43:04 MST --- Does that work? Does wireshark communicate via stdin/stdout with the helper or does it use some external file/socket? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c8 --- Comment #8 from Michal Marek <mmarek@novell.com> 2008-04-01 06:46:42 MST --- I don't know (yes, the fact that xdg-su discards stdout/stderr could be an obstacle). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User mmarek@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c9 --- Comment #9 from Michal Marek <mmarek@novell.com> 2008-04-01 06:56:10 MST --- OK, it's not rawshark but dumpcap and it uses (also) stdout. And it's run several times (to get the list of interfaces, to show the traffic on each interface and finally to capture), so xdg-su won't work here :-( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User prusnak@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c10 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |casualprogrammer@yahoo.com --- Comment #10 from Pavol Rusnak <prusnak@novell.com> 2008-05-08 02:00:50 MST --- *** Bug 387706 has been marked as a duplicate of this bug. *** https://bugzilla.novell.com/show_bug.cgi?id=387706 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User casualprogrammer@yahoo.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c11 --- Comment #11 from Casual J. Programmer <casualprogrammer@yahoo.com> 2008-05-08 02:44:57 MST --- As I pointed out in Bug 387706 Comment #2 there has to be a reason why wireshark ( as well as other applications ) think its inappropriate to run them as root. So forcing them to run as root is probably causing more issues than it avoids. If creating a new group for them is not wanted ( for whatever reason ) any of the existing privileged groups could be used to that end. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User prusnak@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c12 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andersen7@charter.net --- Comment #12 from Pavol Rusnak <prusnak@novell.com> 2008-06-03 02:18:39 MDT --- *** Bug 391805 has been marked as a duplicate of this bug. *** https://bugzilla.novell.com/show_bug.cgi?id=391805 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|--- |Development -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Minor Priority|P5 - None |P4 - Low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=349782 User casualprogrammer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=349782#c13 --- Comment #13 from Casual J. Programmer <casualprogrammer@gmail.com> 2009-01-14 11:16:23 MST --- Are we collecting duplicates here, or is this going to be fixed eventually ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com