|
Rationale
Short Abstract: Installing the small dumpcap binary from wireshark-common suid root allows users to run wireshark itself, with all its complexety, as unprivileged users, thus possibly enhancing security.
I know Gentoo does install the dumpcap binary from wireshark suid root, and restricts access to a specific group. The rationale is that wireshark as a whole is rather complicated and thus likely to have security issues. Several such issues have been found in the past. dumpcap however is rather small, and can even drop most of its privileges pretty early. So running wireshark as a normal user and granting dumpcap access including suid root to trusted users seems sensible to me.
Wouldn't it be better to adopt this setup for Ubuntu as well, and remove those "run wireshark as root" items in the applications menu? You could use the admin group for people whom you'd wish to grant capture privileges, or you could introduce a new group.
I've tested the setup here on my system; a simple chgrp and chmod for dumpcap is enough. So it shouldn't be hard.
Tags:
(none)
|
|
Propose your solution
Attachments
No attachments.
Duplicates
Comments
|
dino
wrote on the 7 Oct 08 at 18:20
|
|
|
|
the problem is all user and so all programs can run this damn think as root then and can read all your traffic.
|
|
gagern
wrote on the 23 Oct 08 at 10:22
|
|
|
Nope, not all users, only the ones in the group you grant access to. If that group were "admin", then only users who can do anything in any case, with default Ubuntu sudo configuration.
I see a problem only if you let another person use your computer while logged in as an admin user, as in contrast to sudo running wireshark wouldn't require you to enter a password. But that's what guest accounts in Intrepid are for, right?
|
|
mk2337
wrote on the 22 Jul 09 at 15:17
|
|
|
I believe these are the commands that would make the permission changes you mentioned:
sudo chgrp admin /usr/bin/dumpcap
sudo chmod 4750 /usr/bin/dumpcap
|
|
rbalint
wrote on the 5 Dec 09 at 21:55
|
|
|
Please see the following Debian bug for the solution:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544482
From 1.2.1-2, you can run wireshark as a normal user and capture traffic.
For instructions, see README.Debian [1].
[1] http://svn.debian.org/wsvn/collab-maint/ext-maint/wireshark/tags/1.2.1-2/debian /README.Debian
Copying contents here:
Capturing packets with Wireshark/Tshark
There are two ways of installing Wireshark/Tshark on Debian:
I. Installing dumpcap with SETUID bit set
Members of group wireshark will be able to capture packets on network
interfaces. This is the preferred way of installation if Wireshark/Tshark
will be used for capturing and displaying packets at the same time, since
that way only the dumpcap process has to be run with root privileges
thanks to the privilege separation[1].
Note that no user will be added to group wireshark automatically, the system
administrator has to add them manually.
II. Installing dumpcap without SETUID bit set
Only root user will be able to capture packets. It is advised to capture
packets with the bundled dumpcap program as root and then run Wireshark/Tshark
as an ordinary user to analyze the captured logs. [2]
The installation method can be changed anytime by running:
dpkg-reconfigure wireshark-common
[1] http://wiki.wireshark.org/Development/PrivilegeSeparation
[2] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
|
|
qlwik
wrote on the 16 Mar 11 at 14:32
|
|
|
|
It is only the matter of set right access rights to the folders.
|
Post your comment
|
