Frederic Peters <[EMAIL PROTECTED]> writes: > severity 453292 wishlist > thanks > > Ferenc Wagner wrote: > >> root) the program can write into it. Maybe it's by design, but it took >> me quite some time to find the capset() call in the strace, which I can >> at least blame for this behaviour. Or maybe I'm wrong. > > It drops everything but capture capability, this is a hard call but > given the successive security problems with wireshark I believe it > is safer not to allow anything else. > > Perhaps it would be nice to add a --dont-drop-capabilities flag; I > won't make it this week but I'll keep the report open so I don't > forget about it.
Hmm. Perhaps the error message could mention this. And setuid invocation (real uid != effective uid) could also be taken into account. Or maybe it is, currently, I didn't test. And I definitely won't install wireshark with the setuid bit set, after reading the above. :) -- Thanks, Feri. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
