On Jul 22, 2015, at 9:37 AM, Graham Bloice <[email protected]> wrote:
> Most, if not all, will be running Wireshark unelevated, as this is a basic
> tenet of Wireshark use. There are millions of lines of code in Wireshark
> dissectors and they really shouldn't be given admin privs.
Does anybody know whether there exists, in Windows:
1) an inter-process communications mechanism, either documented or
reverse-engineered *and* likely to remain intact and usable from release to
release and in future releases, over which a HANDLE can be passed;
2) a mechanism by which a non-privileged process can request that a
subprocess be run with elevated privileges - presumably requiring either user
consent or something else to indicate trust - with such an IPC channel
established between the non-privileged process and the privileged process?
UN*Xes that support libpcap generally have 1) in the form of UNIX-domain
sockets (or, in newer versions of OS X, Mach messages, over which those newer
versions of OS X support passing file descriptors), and probably have 2) in the
form of, if nothing else, sudo or some GUI equivalent.
The idea here is to have libpcap - and WinPcap, if the answers to those
questions are both "yes" - invoke a *small* helper process to do what work
needs elevated privileges to open capture devices, turn on monitor mode, change
channels, etc., so that programs using those libraries do not *themselves*
require elevated privileges.
If the answer for the first question is "no", then do we have some way to run
dumpcap with elevated privileges and have a pipe between it and
Wireshark/TShark?
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
