FS#16941 - [wireshark] 1.2.2-1 should install dumpcap suid root

Attached to Project: Arch Linux
Opened by Jed Liu (jed) - Saturday, 31 October 2009, 18:47 GMT
Last edited by Ionut Biru (wonder) - Thursday, 10 June 2010, 18:59 GMT
Task Type Feature Request
Category Packages: Extra
Status Closed
Assigned To Paul Mattal (paul)
Andrea Scarpino (BaSh)
Hugo Doria (hdoria)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No

Details

Description:

Right now, to capture any packets, wireshark must be run as root. This isn't necessary if wireshark's dumpcap binary is installed in a certain way.

The wireshark package should create a wireshark group and install dumpcap as owned by root:wireshark with permission bits 6750. This would allow members of the wireshark group to capture packets in wireshark. This is done in Gentoo's wireshark package and seems like a good idea.
Closed by  Ionut Biru (wonder)
Thursday, 10 June 2010, 18:59 GMT
Reason for closing:  Implemented
Additional comments about closing:  wireshark 1.2.9-1
Comment by Paul Mattal (paul) - Sunday, 06 December 2009, 17:28 GMT
This sounds pretty good to me.

Does anyone object to this setup?
Comment by Paul Mattal (paul) - Sunday, 06 December 2009, 17:41 GMT
Looks like we can't do this until the groupadd bug with shadow is resolved.
Comment by Thomas Bächler (brain0) - Sunday, 06 December 2009, 17:57 GMT
Before we install it as setuid-root, we should consider running "setcap cap_net_raw+ep /usr/bin/dumpcap" instead in a post_install. This will have the same effect, with less potential security implications.

It should still only be allowed for a restricted group.
Comment by Paul Mattal (paul) - Saturday, 06 February 2010, 23:34 GMT
In Feb 2010, I took the next step on the dependent bug. Once that's sorted out, will revisit this in March 2010.
Comment by Paul Mattal (paul) - Saturday, 06 March 2010, 22:13 GMT
With the bug closed for the issues with GIDs in shadow, it sounds like we could do a wireshark group, install dumpcap as root:wireshark with 0750 and also do the setcap that Thomas suggests, for extra security.
Comment by orbisvicis (orbisvicis) - Sunday, 02 May 2010, 00:37 GMT

Loading...