Bug 349782

Summary: AUDIT-0: wireshark - setuid installation
Product: [openSUSE] openSUSE 11.2 Reporter: Pavol Rusnak <prusnak>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low CC: ace6zip, casualprogrammer, forgotten_yF3D3fVkQI, jc, krahmer
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Pavol Rusnak 2007-12-19 13:56:27 UTC 
---8<------8<------8<------8<------8<------8<------8<------8<---

From http://anonsvn.wireshark.org/wireshark/trunk/doc/README.packaging:

In versions up to and including 0.99.6, it was necessary to run
Wireshark with elevated privileges in order to be able to capture
traffic. With version 0.99.7, all function calls that require elevated
privileges have been moved out of the GUI to dumpcap.

WIRESHARK CONTAINS OVER ONE POINT FIVE MILLION LINES OF SOURCE CODE. DO
NOT RUN THEM AS ROOT.

There are two configure-time options on non-Windows systems that affect
the privileges a normal user needs to capture traffic and list
interfaces: "--enable-setuid-install" and "--with-libcap". Setting
"--enable-setuid-install" to "yes" will install TShark and dumpcap
setuid root.  This is necessary for non-root users to be able to capture
on most systems, e.g. on Linux or FreeBSD if the user doesn't have
permissions to access /dev/bpf*. It is disabled by default.

If the "--with-libcap" option is enabled, dumpcap will try to drop any
setuid privileges it may have while retaining the CAP_NET_ADMIN and
CAP_NET_RAW capabilities. It is enabled by default, and requires the
Linux capabilities library.

Additionally, warnings are now displayed when Wireshark and TShark are
run as root.

---8<------8<------8<------8<------8<------8<------8<------8<---

Should I package tshark and dumpcap as setuid or leave it as it is? (Meaning that user has to run wireshark GUI as root to be able to capture packets from interfaces). If you decide for the change, please change the permissions file accordingly (/usr/bin/{dumpcap,tshark}).
Comment 1 Sebastian Krahmer 2008-02-04 09:59:36 UTC 
I dont think we want to have wireshark or its helper binaries setuid.
They link to a lot of libraries; users shouldnt be able to sniff
traffic anyways.
Wireshark is probably a good candidate for something like a chroot.
Comment 2 Marcus Meissner 2008-03-31 09:35:11 UTC 
-> no setuid for wireshark due to bad record. just use wireshark as root
Comment 3 Pavol Rusnak 2008-03-31 16:25:57 UTC 
Gentoo has following flags for wireshark binaries:

-r-sr-s--- 1 root wireshark   46848 2008-03-16 19:21 /usr/bin/dumpcap
-rwxr-xr-x 1 root root        67552 2008-03-16 19:21 /usr/bin/rawshark
-r-sr-s--- 1 root wireshark  162200 2008-03-16 19:21 /usr/bin/tshark
-rwxr-xr-x 1 root root      1318388 2008-03-16 19:21 /usr/bin/wireshark

So user has to be in group wireshark in order to sniff traffic.

What about this solution?

PS: Wireshark now prints message box "Running as user 'root' and group 'root. This could be dangerous' when running as root. Fortunately this dialog also contains checkbox "Don't show this message again." :))
Comment 4 Sebastian Krahmer 2008-04-01 11:40:00 UTC 
it sounds plain stupid to me making network sniffers
setuid root. Theres a reason to drop privileges to nobody
after opening packet socket etc, but only root should invoke
such tools, e.g. theres no need for a s bit.
Comment 5 Ludwig Nussel 2008-04-01 12:13:05 UTC 
Well, it does make sense to run the gui (which does the error prone packet disassembly) as non-root. That goal is reached by the s-bit. With that bit however there is no authentication of the privileged operation anymore. I am not convinced by the group approach either. Although we have a similar case already, mtr. It's setuid root for group dialout.
Comment 6 Michal Marek 2008-04-01 12:21:00 UTC 
What about patching the gui to run xdg-su -c '/usr/bin/rawshark ...'?
Comment 7 Ludwig Nussel 2008-04-01 12:43:04 UTC 
Does that work? Does wireshark communicate via stdin/stdout with the helper or does it use some external file/socket?
Comment 8 Michal Marek 2008-04-01 12:46:42 UTC 
I don't know (yes, the fact that  xdg-su discards stdout/stderr could be an obstacle).
Comment 9 Michal Marek 2008-04-01 12:56:10 UTC 
OK, it's not rawshark but dumpcap and it uses (also) stdout. And it's run several times (to get the list of interfaces, to show the traffic on each interface and finally to capture), so xdg-su won't work here :-(
Comment 10 Pavol Rusnak 2008-05-08 08:00:50 UTC 
*** Bug 387706 has been marked as a duplicate of this bug. ***
Comment 11 Casual J. Programmer 2008-05-08 08:44:57 UTC 
As I pointed out in Bug 387706 Comment #2 there has to be a reason why wireshark ( as well as other applications ) think its inappropriate to run them as root.

So forcing them to run as root is probably causing more issues than it avoids.

If creating a new group for them is not wanted ( for whatever reason ) any of the existing privileged groups could be used to that end.
Comment 12 Pavol Rusnak 2008-06-03 08:18:39 UTC 
*** Bug 391805 has been marked as a duplicate of this bug. ***
Comment 13 Casual J. Programmer 2009-01-14 18:16:23 UTC 
Are we collecting duplicates here, or is this going to be fixed eventually ?
Comment 14 jean-christophe baptiste 2010-03-22 10:32:48 UTC 
I just tried this nice tutorial to get Wireshark to work without root:
http://packetlife.net/blog/2010/mar/19/sniffing-wireshark-non-root-user/#c2439

Unfortunately, as I say within the comments, it seems not to be working for openSUSE (the tuto is based on Ubuntu).

% sudo zypper install libcap-progs
% sudo groupadd wireshark
% sudo usermod -G wireshark jc
% sudo chgrp wireshark /usr/bin/dumpcap
% sudo chmod 750 /usr/bin/dumpcap
% sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

% getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

% groups
users wireshark

%wireshark
[...]
dumpcap: There are no interfaces on which a capture can be done


Why not ? And why isn't Wireshark packaged this way ?
Comment 15 jean-christophe baptiste 2010-03-22 10:35:25 UTC 
Updated the info : openSUSE 11.2 and I don't think such an issue should be qualified of "minor".
Comment 16 Ludwig Nussel 2010-03-22 12:35:16 UTC 
I'm not sure fscaps are enabled by default. Try setting mode 4750 on dumpcap.
Comment 17 jean-christophe baptiste 2010-03-22 12:45:00 UTC 
It is enabled in the kernel :
% uname -r
2.6.31.12-0.1-desktop
% grep CONFIG_SECURITY_FILE_CAPABILITIES /boot/config-2.6.31.12-0.1-desktop
CONFIG_SECURITY_FILE_CAPABILITIES=y

And about setuid, of course it works, but this is not the expected behaviour. It doesn't have anything to do with posix capabilities and we are still at risk (even though it is a little better than running everything as root).
Comment 18 Ludwig Nussel 2010-03-22 13:25:20 UTC 
you need to boot with file_caps=1 to actually enable them. Anyways, please understand that bugzilla is not a support forum. This bug serves as request for a security audit so if you have further questions wrt your setup please consult our mailinglists.
Comment 19 Pavol Rusnak 2010-12-08 16:28:44 UTC 
I just peeked at Fedora. They create wireshark group in %pre and have this in the filelist:

%attr(0750,root,wireshark) %caps(cap_net_raw,cap_net_admin=eip) %{_bindir}/dumpcap

Is this a valid option for us? If so what else needs to be done (except from pushing the changes into Factory)?
Comment 20 Ludwig Nussel 2010-12-09 10:55:04 UTC 
still needs an audit
Comment 21 Thomas Biege 2012-03-07 08:03:55 UTC 
Nothing happens the last year and it is not setuid on 12.1 -> closing