FS#16941 : [wireshark] 1.2.2-1 should install dumpcap suid root

FS#16941 - [wireshark] 1.2.2-1 should install dumpcap suid root

Attached to Project: Arch Linux
Opened by Jed Liu (jed) - Saturday, 31 October 2009, 18:47 GMT
Last edited by Ionut Biru (wonder) - Thursday, 10 June 2010, 18:59 GMT

Task Type	Feature Request
Category	Packages: Extra
Status	Closed
Assigned To	Paul Mattal (paul) Andrea Scarpino (BaSh) Hugo Doria (hdoria)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	9 orbisvicis (orbisvicis) (2010-05-01) Matthias Dienstbier (fs4000) (2010-03-18) Daniel Micay (thestinger) (2010-02-10) James Conway (MuffinFlavored) (2010-01-23) Thomas Dziedzic (tomd123) (2009-12-06) Laszlo Papp (djszapi) (2009-11-07) Daniel Riedemann (darie) (2009-11-06) Smith Dhumbumroong (zodmaner) (2009-10-31) Jed Liu (jed) (2009-10-31)
Private	No

Details

Description:

Right now, to capture any packets, wireshark must be run as root. This isn't necessary if wireshark's dumpcap binary is installed in a certain way.

The wireshark package should create a wireshark group and install dumpcap as owned by root:wireshark with permission bits 6750. This would allow members of the wireshark group to capture packets in wireshark. This is done in Gentoo's wireshark package and seems like a good idea.

This task depends upon
~~FS#16092 - [shadow] groupadd always add system groups with gid=99~~

Closed by Ionut Biru (wonder)
Thursday, 10 June 2010, 18:59 GMT
Reason for closing: Implemented
Additional comments about closing: wireshark 1.2.9-1

Comment by Paul Mattal (paul) - Sunday, 06 December 2009, 17:28 GMT

This sounds pretty good to me.

Does anyone object to this setup?

Comment by Paul Mattal (paul) - Sunday, 06 December 2009, 17:41 GMT

Looks like we can't do this until the groupadd bug with shadow is resolved.

Comment by Thomas Bächler (brain0) - Sunday, 06 December 2009, 17:57 GMT

Before we install it as setuid-root, we should consider running "setcap cap_net_raw+ep /usr/bin/dumpcap" instead in a post_install. This will have the same effect, with less potential security implications.

It should still only be allowed for a restricted group.

Comment by Paul Mattal (paul) - Saturday, 06 February 2010, 23:34 GMT

In Feb 2010, I took the next step on the dependent bug. Once that's sorted out, will revisit this in March 2010.

Comment by Paul Mattal (paul) - Saturday, 06 March 2010, 22:13 GMT

With the bug closed for the issues with GIDs in shadow, it sounds like we could do a wireshark group, install dumpcap as root:wireshark with 0750 and also do the setcap that Thomas suggests, for extra security.

Comment by orbisvicis (orbisvicis) - Sunday, 02 May 2010, 00:37 GMT

http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#16941 - [wireshark] 1.2.2-1 should install dumpcap suid root

Details

Loading...