subject:"\[Wireshark\-users\] \[patch\] drop privs in dumpcap if run setuid by non\-root"

[Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root

2007-02-12 Thread Hank Leininger

The other day, I wanted to run wireshark live, i.e. capture and view
some packets, rather than just feed it an existing pcap.  On Linux, I
found this was basically impossible (longtime users probably know this
already):

- By default no part of wireshark is installed setuid
- There is an --enable-setuid-install configure option, which installs
  both wireshark and dumpcap setuid root
- However, as mentioned in the docs, gtk apps don't like running as
  root.  And besides, this just seemed dumb.
- So, too, did actually being root to run (all of) wireshark.
- I tried chmod +s'ing only dumpcap.  This gives it the needed privs,
  _but_ it creates a tempfile with which to communicate with wireshark
  that is mode 600 -- so when it runs as root, the rest of wireshark
  cannot read the file.

While on a plane back home I whipped up the attached patch to dumpcap to
drop elevated privileges as soon as the pcap socket has been opened.
Then I can create a 'sniffer' group, and chgrp sniffer, chmod 4110 the
dumpcap binary.  Tested for a whole five minutes, seems to work fine:
wireshark launches dumpcap to sniff, opens the raw capture socket, drops
root, opens the output file, and starts reading/writing packets.  It
looks to me like every time a new capture is started, dumpcap is
respawned, so euid0 is not needed again.  Works with tshark as well.

At the time, I had not yet read the discussions on the wireshark lists
(and the ethereal ones years before that) about how privilege separation
would be a better way to go, and about how the dissectors would best run
not just non-root, but non-user either--that is, they should run as a
dedicated, chrooted user.  I agree that that would be ideal.  But in the
meantime, I think something like this would be better than nothing.

Thanks,

-- 

Hank Leininger [EMAIL PROTECTED]
F980 A584 5175 1996 DD7E  C47B 1A71 105C CB44 CBF8
diff -urP wireshark-0.99.5/Makefile.am wireshark-0.99.5-hap/Makefile.am
--- wireshark-0.99.5/Makefile.am2007-02-01 18:01:43.0 -0500
+++ wireshark-0.99.5-hap/Makefile.am2007-02-12 01:17:59.0 -0500
@@ -655,7 +655,6 @@
 if SETUID_INSTALL
 install-exec-hook:
-chmod +s $(DESTDIR)$(bindir)/dumpcap
-   -chmod +s $(DESTDIR)$(bindir)/tshark
 else
 install-exec-hook:
 endif
diff -urP wireshark-0.99.5/Makefile.in wireshark-0.99.5-hap/Makefile.in
--- wireshark-0.99.5/Makefile.in2007-02-01 18:02:55.0 -0500
+++ wireshark-0.99.5-hap/Makefile.in2007-02-12 01:18:10.0 -0500
@@ -2167,7 +2167,6 @@
 
 @[EMAIL PROTECTED]:
 @SETUID_INSTALL_TRUE@  -chmod +s $(DESTDIR)$(bindir)/dumpcap
[EMAIL PROTECTED]@  -chmod +s $(DESTDIR)$(bindir)/tshark
 @[EMAIL PROTECTED]:
 
 wireshark.1: doc/wireshark.pod AUTHORS-SHORT-FORMAT
diff -urP wireshark-0.99.5/capture_loop.c wireshark-0.99.5-hap/capture_loop.c
--- wireshark-0.99.5/capture_loop.c 2007-02-01 18:01:47.0 -0500
+++ wireshark-0.99.5-hap/capture_loop.c 2007-02-12 01:55:22.0 -0500
@@ -1271,6 +1271,12 @@
 goto error;
   }
 
+  if (setgid(getgid()) || setuid(getuid())) {
+g_snprintf(errmsg, sizeof(errmsg), error dropping privileges: %s, 
strerror(errno));
+*secondary_errmsg = '\0';
+goto error;
+  }
+
   /* init the input filter from the network interface (capture pipe will do 
nothing) */
   switch (capture_loop_init_filter(ld.pcap_h, ld.from_cap_pipe, 
capture_opts-iface, capture_opts-cfilter)) {
 


pgpWJVwmYhUeh.pgp
Description: PGP signature
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

Re: [Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root

2007-02-12 Thread Ulf Lamping

Hank Leininger wrote:
 The other day, I wanted to run wireshark live, i.e. capture and view
 some packets, rather than just feed it an existing pcap.  On Linux, I
 found this was basically impossible (longtime users probably know this
 already):

 - By default no part of wireshark is installed setuid
 - There is an --enable-setuid-install configure option, which installs
   both wireshark and dumpcap setuid root
 - However, as mentioned in the docs, gtk apps don't like running as
   root.  And besides, this just seemed dumb.
 - So, too, did actually being root to run (all of) wireshark.
 - I tried chmod +s'ing only dumpcap.  This gives it the needed privs,
   _but_ it creates a tempfile with which to communicate with wireshark
   that is mode 600 -- so when it runs as root, the rest of wireshark
   cannot read the file.

 While on a plane back home I whipped up the attached patch to dumpcap to
 drop elevated privileges as soon as the pcap socket has been opened.
 Then I can create a 'sniffer' group, and chgrp sniffer, chmod 4110 the
 dumpcap binary.  Tested for a whole five minutes, seems to work fine:
 wireshark launches dumpcap to sniff, opens the raw capture socket, drops
 root, opens the output file, and starts reading/writing packets.  It
 looks to me like every time a new capture is started, dumpcap is
 respawned, so euid0 is not needed again.  Works with tshark as well.

 At the time, I had not yet read the discussions on the wireshark lists
 (and the ethereal ones years before that) about how privilege separation
 would be a better way to go, and about how the dissectors would best run
 not just non-root, but non-user either--that is, they should run as a
 dedicated, chrooted user.  I agree that that would be ideal.  But in the
 meantime, I think something like this would be better than nothing.
   
Hi Hank!

I've spend a lot of time to carve out dumpcap into it's own process, to 
make things you've explained actually possible. Please note that the 
Wireshark/dumpcap combination misses some things like the capture live 
list and alike, which currently will call pcap functions directly. 
Getting the capture interface specific infos should go into dumpcap as 
well, or a new process capifinfo or alike to avoid privilege problems 
on this task.

As I'm a Win32 developer, I won't tweak the UNIX specific things and 
need help from other UNIX developers. Unfortunately, NONE of the UNIX 
developer found the time / motivation to spend some time on this topic.

So basically I've dropped my effort on this completely, as I found no 
assistance to this - only complains when will it be finished - which 
is not really motivating in itself ...

BTW: your patch will break Win32 compatibility, as setgid and alike 
doesn't exist on Win32 (and probably not on all UNIX derivates we 
support as well) - a simple #ifndef _WIN32 will solve this (for WIN32, 
but probably not for other UNIXes).

Regards, ULFL


P.S: This motivation might change when I'll start working on Vista, as 
User Account Control is basically the same thing. However, the switch 
to Vista might take some time ...

___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

[Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root

Re: [Wireshark-users] [patch] drop privs in dumpcap if run setuid by non-root

2 matches

Site Navigation

Mail list logo

Footer information