Bug#703194: marked as done (kismet does not work in setuid mode)

Wed, 24 Apr 2013 21:51:16 -0700 

Your message dated Thu, 25 Apr 2013 04:48:15 +0000
with message-id <[email protected]>
and subject line Bug#703194: fixed in kismet 2013.03.R1b-1
has caused the Debian Bug report #703194,
regarding kismet does not work in setuid mode
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
703194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703194
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: kismet
Version: 2011.03.R2-2
Severity: important

Dear Maintainer,

kismet fails to initialize the WLAN interface when installed in
setuid mode and started by a non-root user:

  ERROR: IPC child Source 'eth1' requires root permissions to open, but
         we're not running as root.  Something is wrong.

The user running kismet is in the kismet group:

  $ id
  uid=1000(uwe) gid=1000(uwe) groups=1000(uwe), .. ,138(kismet)

When started as user root kismet works.

None of the kismet binaries is installed setuid root:

  $ ls -l /usr/bin/kismet*
  -rwxr-xr-x 1 root root       259 Feb 27 02:01 /usr/bin/kismet
  -rwxr-xr-x 1 root kismet  632864 Feb 27 02:01 /usr/bin/kismet_capture
  -rwxr-xr-x 1 root root   1408668 Feb 27 02:01 /usr/bin/kismet_client
  -rwxr-xr-x 1 root root    740524 Feb 27 02:01 /usr/bin/kismet_drone
  -rwxr-xr-x 1 root root   1426268 Feb 27 02:01 /usr/bin/kismet_server

Instead capabilities are used:

$ getcap /usr/bin/kismet*
/usr/bin/kismet_capture = cap_net_admin,cap_net_raw+eip

When I manually set the suid bit on /usr/bin/kismet_capture
kismet works for non-root users too.

Maybe a required capability is missing?

Also, I'm not a capability expert, but shouldn't the permissions
on /usr/bin/kismet_capture set to 0750 so that only members of the
group kismet are able to execute the program and not anybody else?

Regards

Uwe


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (750, 'testing'), (650, 'unstable'), (500, 'testing-updates')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kismet depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  dpkg                   1.16.9
ii  libc6                  2.13-38
ii  libcap2                1:2.22-1.2
ii  libcap2-bin            1:2.22-1.2
ii  libgcc1                1:4.7.2-5
ii  libncurses5            5.9-10
ii  libnl-3-200            3.2.7-4
ii  libnl-genl-3-200       3.2.7-4
ii  libpcap0.8             1.3.0-1
ii  libpcre3               1:8.30-5
ii  libstdc++6             4.7.2-5
ii  libtinfo5              5.9-10

kismet recommends no packages.

Versions of packages kismet suggests:
ii  festival        1:2.1~release-5.1
ii  gpsd            3.6-4
ii  kismet-plugins  2011.03.R2-2

-- Configuration Files:
/etc/kismet/kismet.conf changed [not included]

The only difference in the config file is the ncsource entry:
ncsource=eth1:type=ipw2200

-- debconf information:
* kismet/install-setuid: true
* kismet/install-users: uwe

--- End Message ---
--- Begin Message --- 
Source: kismet
Source-Version: 2013.03.R1b-1

We believe that the bug you reported is fixed in the latest version of
kismet, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nick Andrik <[email protected]> (supplier of updated kismet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 25 Apr 2013 03:58:02 +0200
Source: kismet
Binary: kismet kismet-plugins
Architecture: source amd64
Version: 2013.03.R1b-1
Distribution: unstable
Urgency: low
Maintainer: Nick Andrik <[email protected]>
Changed-By: Nick Andrik <[email protected]>
Description: 
 kismet     - wireless sniffer and monitor - core
 kismet-plugins - wireless sniffer and monitor - plugins
Closes: 703194
Changes: 
 kismet (2013.03.R1b-1) unstable; urgency=low
 .
   * New upstream release
   * libnl3 support
     - Remove debian/patches/support_for_libnl3, included upstream
   * plugin hardening support
     - Add support for PLUGINCXXFLAGS in configure.in
     - Specify PLUGINCXXFLAGS in debian/rules
     - Update debian/patches/fix_makefile patch to use PLUGINCXXFLAGS
     - Update configure file, since we patch configure.in
   * Also include restricted plugins
     - Add appropriate rules in debian/rules
   * Capabilities are used for suid dropping only, they cannot be used to avoid
     suid altogether (Closes: #703194)
     - Update debian/kismet.postinst
   * Explicitly declare manpages to be installed
     - Add debian/kismet.manpages
   * Update debian/watch url to also include letters
Checksums-Sha1: 
 2719fc8dcc65f981fa8f2a7ac2ed6cd94e196915 2104 kismet_2013.03.R1b-1.dsc
 c77b92bf5d589b79281271e96724ef96032a162b 935437 kismet_2013.03.R1b.orig.tar.gz
 4a6fc10a83190b30679eb2912d89eda246f401c0 28099 
kismet_2013.03.R1b-1.debian.tar.gz
 07364f1c3050456b965b7a762628c3508400101d 1917608 kismet_2013.03.R1b-1_amd64.deb
 826f0aa8dbf1d1469ba35f4371f5e9758decd301 185690 
kismet-plugins_2013.03.R1b-1_amd64.deb
Checksums-Sha256: 
 6214d6255143d382d8bb19ad3d1071c3b32651a056fa16859ea9e850999b2053 2104 
kismet_2013.03.R1b-1.dsc
 c0bb8a8f47061e2ffc965b0557bab9a1b3d63b5a50b744663f66518aec7fbc77 935437 
kismet_2013.03.R1b.orig.tar.gz
 28a15e70b8a313597bf2864e81b21d057420d07fdfd23249b6c84ce4890d2f8c 28099 
kismet_2013.03.R1b-1.debian.tar.gz
 70345f356cce5e4413b52da1322ce595c51ad62b2889658417936b6e3a18b7a8 1917608 
kismet_2013.03.R1b-1_amd64.deb
 e388ab5359cee609da57d377e021d9c5e97a98c7e3821f84b305a7cc701cedae 185690 
kismet-plugins_2013.03.R1b-1_amd64.deb
Files: 
 fa1b8e7a420c5f40fe44298590cfe2f7 2104 net optional kismet_2013.03.R1b-1.dsc
 6cdcd78baf2e15edbe8a9de3c5493f02 935437 net optional 
kismet_2013.03.R1b.orig.tar.gz
 c45bf52aee5a6d9fa72eb23bfbd3229a 28099 net optional 
kismet_2013.03.R1b-1.debian.tar.gz
 1f534a786a0c17f8bfc746ea482a1ed9 1917608 net optional 
kismet_2013.03.R1b-1_amd64.deb
 e7f24ebd67a97ea29510565e2bb85039 185690 net optional 
kismet-plugins_2013.03.R1b-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIbBAEBCAAGBQJReLI6AAoJEHQmOzf1tfkTHH8P9RkM0D1SVNElk1WGw8X963nt
g4FJm5tNFy7/9wP0Kv8lY4s/qn39BP4ULMR8eAD53S5KSwOHbe8qEVuC7IyuZQGZ
Z7hEF1pu6iQcHLOfVq1JukSI4sY6F8qWf56TPVHFMx7aWnn4YZcqHgzw7/jxzIJS
zW26VhYUFBeouVDCdnt6ea9XP3OXThcZ01rV6jHZZ+nzPVLjnlV/MPF6wOgYCQ+g
9FlriGlSk+yIF9Oe2S3Xqd6DJRt1FvxlETkocl3A+o+sQIUUO1JITjeLSTehJb8X
J0fK9489HrHfYy+5SpyCHdKUXLi2N1lSGHIGDpY5IfLRrkbBci0VrGCDkBh/9KmM
FFj/8AvRC6/X4KjjMxqFH8nEoWgikKFu/AoU6xP3SB8WJr6ElN+9ztRLMyP83Hf7
pRC/lwC0GuMSk3XnPN/ySD86V7NcZF9nHhFTxa4jyBws7vxKM4jwKGAlrwCU8Mv7
RI7tqVjbcfQB5sqEQiytyqMjl9+R8Fx2EfkDNGcySDp06sgebzt6ViewT342yJQs
l+BKhLut5TNdeZ+NwkhOEW2tLKfPG7CEMrB3fnD+cgnojsZk1IhSQbxRdtGLU5We
kGd9j8rzhecUWMRw+mVqYbBBpyhT1C8C1FSRYNwRFAY8f7bw7zvoCEyog3qeVBmL
M68yyyMcsNAyy51GXh8=
=C7JD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to