Re: Fwd: On Wireshark and network capture in general

View: New views

3 Messages — Rating Filter: Alert me

	Re: Fwd: On Wireshark and network capture in general by Josselin Mouette :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Le vendredi 19 juin 2009 à 12:54 +0200, Jaap Keuter a écrit : > > What I've noticed is that Debian (still) requires the user to run > > Wireshark with root credentials in order to be able to launch a > > network > > capture. Otherwise the network interfaces won't even be visible. > > This problem, running a massive GUI application with root > > credentials, was > > identified long ago and addressed as such. The core capture > > functionality > > was isolated in a capture child, so the rest (dissection, GUI, etc) > > could > > be run as a normal user. This only(ahem) requires the capture engine > > (dumpcap) to be installed setuid root. I think it’s just as bad an idea to launch dumpcap setuid root as it is to launch the GUI as root. Please consider supporting PolicyKit to communicate between the frontend and the backend instead. This way the backend doesn’t have to be installed setuid root, and the user is authenticated before starting it. Cheers, -- .''`. Josselin Mouette : :' : `. `' “I recommend you to learn English in hope that you in `- future understand things” -- Jörg Schilling signature.asc (196 bytes) Download Attachment
	Re: Fwd: On Wireshark and network capture in general by Michael Stone-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jun 19, 2009 at 01:56:05PM +0200, Josselin Mouette wrote: >Le vendredi 19 juin 2009 à 12:54 +0200, Jaap Keuter a écrit : >> > What I've noticed is that Debian (still) requires the user to run >> > Wireshark with root credentials in order to be able to launch a >> > network >> > capture. Otherwise the network interfaces won't even be visible. >> > This problem, running a massive GUI application with root >> > credentials, was >> > identified long ago and addressed as such. The core capture >> > functionality >> > was isolated in a capture child, so the rest (dissection, GUI, etc) >> > could >> > be run as a normal user. This only(ahem) requires the capture engine >> > (dumpcap) to be installed setuid root. > >I think it’s just as bad an idea to launch dumpcap setuid root as it is >to launch the GUI as root. Definitely as default for the install. For many people the common case is to use wireshark to analyze captures taken by a different tool, and there's no reason for them to automatically have anything setuid to support that case. Mike Stone -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Fwd: On Wireshark and network capture in general by Jonathan Yu :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Maybe we can offer something via debconf during installation to ask users if they'd like non-root users to access dumpcap. But I guess the question there is to determine how to provide access to dumpcap (there were some great ideas discussed above). Having the GUI run as non-root sounds like a great idea to me, the less code running setuid 0 the better. And that means the GUI will be useful for analyzing things that have already been captured, as Mike mentioned, and you won't need root for that. So some sort of wrapper when users attempt to launch captures, perhaps something like gksu to get permission for dumpcap... On Fri, Jun 19, 2009 at 9:29 AM, Michael Stone<mstone@...> wrote: > On Fri, Jun 19, 2009 at 01:56:05PM +0200, Josselin Mouette wrote: >> >> Le vendredi 19 juin 2009 à 12:54 +0200, Jaap Keuter a écrit : >>> >>> > What I've noticed is that Debian (still) requires the user to run >>> > Wireshark with root credentials in order to be able to launch a >>> > network >>> > capture. Otherwise the network interfaces won't even be visible. >>> > This problem, running a massive GUI application with root >>> > credentials, was >>> > identified long ago and addressed as such. The core capture >>> > functionality >>> > was isolated in a capture child, so the rest (dissection, GUI, etc) >>> > could >>> > be run as a normal user. This only(ahem) requires the capture engine >>> > (dumpcap) to be installed setuid root. >> >> I think it’s just as bad an idea to launch dumpcap setuid root as it is >> to launch the GUI as root. > > Definitely as default for the install. For many people the common case is to > use wireshark to analyze captures taken by a different tool, and there's no > reason for them to automatically have anything setuid to support that case. > > Mike Stone > > > -- > To UNSUBSCRIBE, email to debian-devel-REQUEST@... > with a subject of "unsubscribe". Trouble? Contact > listmaster@... > > -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...