Hi Marc, 2011/11/23 Marc Haber <[email protected]>: > On Wed, Nov 23, 2011 at 09:56:55AM +0100, Bálint Réczey wrote: >> 2011/11/22 Marc Haber <[email protected]>: >> > On Tue, Nov 22, 2011 at 03:12:06PM +0100, Bálint Réczey wrote: >> >> Have you seen any suspicious output while running 'sudo >> >> dpkg-reconfigure wireshark-common' ? >> >> >> >> Could you please check the output of the following commands?: >> >> >> >> sudo dpkg-reconfigure wireshark-common >> >> /usr/sbin/dpkg-statoverride --list /usr/bin/dumpcap >> >> echo $? >> >> sudo which setcap >> > >> > I now know what went wrong. I was misguided by the name of the debconf >> > template being install-setuid, which prompted me to an immediate "no", >> > without knowing that the postinst will only use setuid as a >> > last-resort method if capabilities are not available. >> The template name is not shown to users AFAIK and >> the current template text does not mention setuid bit: >> >> Should non-superusers be able to capture packets? >> Dumpcap can be installed in a way that allows members of the "wireshark" >> system group to capture packets. This is recommended over the >> alternative of running Wireshark/Tshark directly as root, because >> less of the code will run with elevated privileges. >> . >> For more detailed information please see >> /usr/share/doc/wireshark-common/README.Debian. >> . >> Enabling this feature may be a security risk, so it is disabled by >> default. If in doubt, it is suggested to leave it disabled. > > It is, however, worded so that anybody with Unix experience will > immediately think "gaah, suid" and answer "no". At least that happened > to me. I agree that Linux Capabilities is relatively new and unknown. With this "no" you did the right thing. You did not introduce a potential security problem which was not completely understood. UNIX experts also have the tendency of running custom kernels which may lack Linux Capabilities support thus making the postinst script falling back to setuid bit.
> >> > Text suggestion: >> > The package scripts will use Linux capabilities for the dumpcap binary >> > where available and resort to setting the suid bit on the dumpcap >> > binary as a fall-back. >> The technology used behind the scenes is hidden intentionally to prevent >> changes to the template. The template is localized thus changing it would >> mean a lot of work for translators. >> It refers to README.Debian, because the full story needs more >> explanation than what would fit in a template text. > > Fine with me. Thanks for the explanation and saying that everything is > intentional. The template name is not intentional. It was created when there were no Linux Capabilities support and I did not want to change the name as it could break upgrades. Cheers, Balint -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
