Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
Wireshark
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas

Popular ideas Here are the most popular ideas ever about Wireshark.

Install wireshark's dumpcap suid root  
Written by gagern the 6 Oct 08 at 18:47. New
Short Abstract: Installing the small dumpcap binary from wireshark-common suid root allows users to run wireshark itself, with all its complexety, as unprivileged users, thus possibly enhancing security.

I know Gentoo does install the dumpcap binary from wireshark suid root, and restricts access to a specific group. The rationale is that wireshark as a whole is rather complicated and thus likely to have security issues. Several such issues have been found in the past. dumpcap however is rather small, and can even drop most of its privileges pretty early. So running wireshark as a normal user and granting dumpcap access including suid root to trusted users seems sensible to me.

Wouldn't it be better to adopt this setup for Ubuntu as well, and remove those "run wireshark as root" items in the applications menu? You could use the admin group for people whom you'd wish to grant capture privileges, or you could introduce a new group.

I've tested the setup here on my system; a simple chgrp and chmod for dumpcap is enough. So it shouldn't be hard.
7
votes
up equal down
Solution #1: Auto-generated solution of idea #14140
Written by gagern the 6 Oct 08 at 18:47.
Ubuntu Brainstorm was updated in January 2009. Since the idea #14140 was submitted before this update, its rationale and solution are not separated. Please vote accordingly, and if you have the necessary rights, please separate the rationale from the solution. Thanks!
2
votes
up equal down
Solution #2: Install dumpcap suid root, limit access to special group
Written by KlfJoat the 2 Dec 09 at 15:07.
(I'm assembling this solution from others' ideas. This is an issue for me, and would be simple to fix!!!)

Wireshark's developers strongly recommend against running as root. As of 9.10, Wireshark installs to menu with no root option, making it useless.

Installing the small dumpcap binary from wireshark-common suid root allows users to run wireshark itself, with all its complexety, as unprivileged users, thus possibly enhancing security.

sudo chgrp GROUPNAME /usr/bin/dumpcap
sudo chmod 4750 /usr/bin/dumpcap
5
votes
up equal down
Solution #3: Use filesystem capabilities
Written by gerald.combs the 26 Jan 10 at 20:01.
Wireshark only needs the CAP_NET_ADMIN and CAP_NET_RAW privileges for capture. Making dumpcap setuid root is one way to get those privileges but on more recent Ubuntu releases you can also use file capabilities:

# groupadd -g packetcapture
# chmod 750 /usr/bin/dumpcap
# chgrp packetcapture /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
# setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark

'setcap' is part of the libcap2-bin package. The same approach could be used for nmap, snort, Kismet, and any other application that uses libpcap.

See the 6 comments or propose a solution >>