On 2011-06-24, Nigel Taylor <[email protected]> wrote: > Attached is my current port for wireshark 1.6.0, as some have requested > this. This is a WIP, not posted for addition to the ports, limited > testing has been done on amd64 with this version. This builds on i386. I > have been updating the port since wireshark version 1.0.x, and using myself. > > The privilege separation within wireshark only applies to the linux > version, it replies on linux capabilities (CAP_NET_ADMIN, CAP_NET_RAW).
Little summary for people who haven't looked at wireshark (previously known as ethereal) in a while. These days it is slightly split out so it's easier to avoid running decoders in an incredibly dangerous way, but there are still problems. The main wireshark (GUI) or tshark (CLI) process runs as a normal userid, protocol decoders run as part of this main process. The GUI has commands to start/stop capture, select interfaces etc. These can be used in two ways:- - Capture can be split off to a separate process "dumpcap" which is typically installed setuid root and access is controlled by group privileges. (On OS without posix capabilities + libcap it drops to the real uid during actual capture but that's it. Even with libcap it is still just priv dropping rather than having a clear separation between privileged and non privileged parts.) - Otherwise capture can also be done by stupid people from the main process itself by running it as root. Not even privilege dropping in this case - as in all the old versions, everything including decoders runs as root. ... It's not hard to build from source, people are obviously doing so, but on the whole I'd be happier to have it in packages for a few reasons. - updates. it's pretty huge and slow to build, and people are not likely to track updates as often as they are to run pkg_add -u. this is software that people should be keeping up-to-date... - we can make it harder to use unsafely. currently if you try and run it as root it detects it and actually prints a warning telling you not to do that (rather toned down from earlier versions iirc..) then lets you tick a box to make the warning go away! insane, it should just terminate... - we can set things up to run the main program as a different uid (wrapper script, show people how to configure sudoers to use it, etc). easy enough to do and improves safety, but the sort of thing someone who just wants to run the damn thing is not going to bother with. But I think dumpcap needs attention first... (I have a port too, slightly different - the gui part is split to a subpackage to reduce dependencies for people who just want tshark, and it sets things up a bit for using dumpcap). Don't think I'll send it to the list at the moment though ;)
