On 2007/11/12 12:38, Steve Shockley wrote: > Stuart Henderson wrote: >> tcpdump runs the scary code in a jail. > > Doesn't http://marc.info/?m=117390704628262 do the same thing? I haven't > looked at it, just saw the post.
ah, Nikns' port: this isn't a full jail, but it does drop privileges so it's a start. http://wiki.wireshark.org/Development/PrivilegeSeparation references this (so, some wireshark developers do recognise it needs to be done). IIRC (it's a while since I looked at it) there are some problems: you run the whole thing as root (including the GUI, which uses toolkits which are specifically not meant to be run as root), then after opening the capture device privs are dropped, at which point you can no longer access files you should have access to. There is another hackish workaround: mkfifo a file, then use tcpdump to do the capture into that. Run wireshark as a normal or (better) jailed user, and read from the FIFO. Messy, though... Anyway, this is probably of limited interest on misc@, so if anyone is interested in continuing this, ports@ is a better place (or the wireshark lists).
