Package: src:linux
Version: 3.16.7-2
Severity: normal
Control: affects -1 wireshark-common
Dear Maintainer,
The wireshark-common package, in its postinst script, optionally grants
some capabilities to the "dumpcap" program using setcap. However, it
seems that any user can cause these capabilities to vanish by trying
(and failing) to chown the file. To demonstrate:
As root, add the necessary capabilities:
wraith:/tmp# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
I'm a normal user with no privileges over the file:
wraith:~$ id
uid=12528(bjh21) gid=12528(bjh21)
groups=12528(bjh21),1(daemon),10(uucp),40(src),1000(probe),1019(solsrc),59998(traffic)
wraith:~$ grep '^Cap' /proc/$$/status
CapInh:
CapPrm:
CapEff:
CapBnd: 003f
wraith:~$ ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 92476 Sep 20 09:20 /usr/bin/dumpcap
The capabilities are currently present:
wraith:~$ /sbin/getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
I try to chown the file, which fails as expected:
wraith:~$ chown root:wireshark /usr/bin/dumpcap
chown: changing ownership of '/usr/bin/dumpcap': Operation not permitted
... and now the capabilities have gone:
wraith:~$ ls -l /usr/bin/dumpcap
-rwxr-xr-- 1 root wireshark 92476 Sep 20 09:20 /usr/bin/dumpcap
wraith:~$ /sbin/getcap -v /usr/bin/dumpcap
/usr/bin/dumpcap
I would expect that the capabilities attached to /usr/bin/dumpcap would
have survived that attempted chown by an unprivileged user. The current
behaviour means that any user can cause dumpcap to stop working properly.
In case it's relevant, my root filesystem (containing /usr/bin/dumpcap)
is very old ext3 filesystem (originally created as ext2).
-- Package-specific info:
** Version:
Linux version 3.16.0-4-686-pae (debian-ker...@lists.debian.org) (gcc version
4.8.3 (Debian 4.8.3-13) ) #1 SMP Debian 3.16.7-2 (2014-11-06)
** Command line:
BOOT_IMAGE=/vmlinuz-3.16.0-4-686-pae root=/dev/mapper/wraith-root ro
** Not tainted
** Kernel log:
[6.029934] systemd[1]: Starting udev Coldplug all Devices...
[6.037486] systemd[1]: Started Set Up Additional Binary Formats.
[6.037681] systemd[1]: Mounting Huge Pages File System...
[6.038460] systemd[1]: Mounting POSIX Message Queue File System...
[6.039067] systemd[1]: Mounting Debug File System...
[6.039714] systemd[1]: Starting Create list of required static device nodes
for the current kernel...
[6.040473] systemd[1]: Starting system-getty.slice.
[6.041066] systemd[1]: Created slice system-getty.slice.
[6.041225] systemd[1]: Starting LSB: Set keymap...
[6.041829] systemd[1]: Starting Journal Service...
[6.042790] systemd[1]: Started Journal Service.
[6.099858] fuse init (API version 7.23)
[6.281880] systemd-udevd[163]: starting version 215
[6.649880] input: Power Button as
/devices/LNXSYSTM:00/LNXPWRBN:00/input/input2
[6.649997] ACPI: Power Button [PWRF]
[6.659037] ACPI: AC Adapter [ACAD] (on-line)
[6.756833] random: nonblocking pool is initialized
[6.823298] vmw_vmci :00:07.7: Found VMCI PCI device at 0x11080, irq 16
[6.823415] vmw_vmci :00:07.7: Using capabilities 0xc
[6.823532] vmw_vmci :00:07.7: irq 76 for MSI/MSI-X
[6.823566] vmw_vmci :00:07.7: irq 77 for MSI/MSI-X
[6.823716] Guest personality initialized and is active
[6.823876] VMCI host device registered (name=vmci, major=10, minor=59)
[6.823993] Initialized host personality
[6.837656] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4
[6.853520] piix4_smbus :00:07.3: SMBus Host Controller not enabled!
[6.880996] EXT4-fs (dm-0): re-mounted. Opts: errors=remount-ro
[6.916076] parport_pc 00:05: reported by Plug and Play ACPI
[6.916419] parport0: PC-style at 0x378, irq 7 [PCSPP,TRISTATE]
[6.924784] [drm] Initialized drm 1.1.0 20060810
[6.945043] [drm] DMA map mode: Using physical TTM page addresses.
[6.945143] [drm] Capabilities:
[6.945246] [drm] Rect copy.
[6.945337] [drm] Cursor.
[6.945423] [drm] Cursor bypass.
[6.945517] [drm] Cursor bypass 2.
[6.945613] [drm] 8bit emulation.
[6.945709] [drm] Alpha cursor.
[6.945800] [drm] Extended Fifo.
[6.945894] [drm] Multimon.
[6.945982] [drm] Pitchlock.
[6.946071] [drm] Irq mask.
[6.946160] [drm] Display Topology.
[6.946257] [drm] GMR.
[6.946340] [drm] Traces.
[6.946426] [drm] GMR2.
[6.946456] [drm] Screen Object 2.
[6.946553] [drm] Command Buffers.
[6.946652] [drm] Max GMR ids is 64
[6.946748] [drm] Max number of GMR pages is 65536
[6.946847] [drm] Max dedicated hypervisor surface memory is 163840 kiB
[6.946946] [drm] Maximum display memory size is 8192 kiB
[6.947045] [drm] VRAM at 0xec00 size is 8192 kiB
[6.947144] [drm] MMIO at 0xfe00 size is 256 kiB
[6.95] [drm] global init.
[
