Re: kismet 2011.03.R2-1: Please review debconf PO/control for the package kismet
Nick Andrik wrote:
> Justin B Rye <jbr@edlug.org.uk>:
>> Kismet needs root privileges for some of its functions. To minimize
>> the amount of code that runs with elevated privileges (and reduce the
>> risk of bugs doing system-wide damage) it is recommended to install
>> Kismet with the "setuid" bit set, which will allow it to grant these
>> privileges automatically to the processes that need them, excluding
>> the user interface and packet decoding parts.
>>
>> (This leaves unstated the alternative of getting root "manually".)
>
> Do you think we should specify that? Then we should say something like:
> If you decide not to use setuid, then you will have to run kismet as
> root (e.g. sudo kismet)
Reading it again, yes, we should probably have some mention of that,
but I'd prefer not to add it at the end - maybe:
Kismet needs root privileges for some of its functions. However, running it
as root ("sudo kismet") is not recommended, since running all of the code
with elevated privileges increases the risk of bugs doing system-wide
damage. Instead Kismet can be installed with the "setuid" bit set, which
will allow it to grant these privileges automatically to the processes that
need them, excluding the user interface and packet decoding parts.
[...]
> I would propose something like this:
>
> For more detailed information, see section 4 of the Kismet README
> ("Suidroot & Security"), which can be found at:
> http://www.kismetwireless.net/README or
> /usr/share/doc/kismet/README
Fair enough, we've got room. (I don't like the colon, though.)
>>> .
>>> Enabling this feature allows users in the 'kismet' group to run Kismet (and
>>> capture packets, change wireless card state, etc). Do NOT enable setuid
>>> Kismet if you have untrusted users on your system.
>>> .
>>> Most users running Kismet on personal laptops should install it as setuid.
>>
>> This is all okay - I've just edited it to match the standard
>> debian-l10n-english "stylesheet", with double quotes and single-spaced
>> sentences.
>
> Now that I see it, I guess we should replace "laptops" with "computers", no?
> Most users running Kismet on personal computers should install it as setuid.
Do you mean "(Desktop) PCs" or "computers that are personal"? Saying
"personal computers" makes it sound as if you *don't* mean to
include laptops (or palmtops and so on), but form factor isn't the
issue here; the question is just whether it's a single-user system.
But what's unsafe about making it setuid on a multi-user system,
anyway? Even if I don't trust my little brother, the argument
against "sudo kismet" is still valid, which implies that kismet
should still be installed with the setuid bit set - we should just
be warning against letting untrusted users in the kismet group!
So I would suggest:
.
Enabling this feature allows users in the "kismet" group to run Kismet
(and capture packets, change wireless card state, etc), so only thoroughly
trusted users should be granted membership of the group.
.
For more detailed information, see section 4 of the Kismet README
("Suidroot & Security"), which can be found at
/usr/share/doc/kismet/README or "http://www.kismetwireless.net/README";.
>>> Package: kismet
>>> Architecture: any
>>> Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libcap2-bin
>>> Suggests: kismet-plugins, festival, gpsd
>>> Description: Wireless sniffing and monitoring - core
>>> Kismet is an 802.11 layer2 wireless network detector, sniffer, and
>>> intrusion detection system. It will work with any wireless card
>>> that supports raw monitoring (rfmon) mode and can sniff 802.11b,
>>> 802.11a, and 802.11g traffic.
>>
>> Ah, slightly improved phrasing from the Squeeze version. But
>> * no need to capitalise "Wireless";
>> * in principle the old "...monitoring tool" synopsis had better
>> DevRef compliance (as a noun phrase describing the package), but
>> this works well enough;
>
> That is "wireless sniffer and monitor". Do you think it'd be better?
I'm always cautious around the word "monitor", since of course it's
also a piece of hardware. But maybe that does work. Okay, why not.
(Oops, and I had left kismet-plugins with a capitalised synopsis;
fixed now.)
>> * I'd say "layer-2" (possibly even "layer two");
>> * we're standardising on single-spaced sentences;
>> * it needs a comma after "mode" to make it clear that "can sniff" is
>> syntactically parallel to "work", not "supports" (it isn't saying
>> "any card that supports foo and can sniff bar and baz");
>> * you've updated the old blurb that only said it could do 802.11b,
>> but the README says it can do 802.11n, too! (Also, why list
>> 802.11b before 802.11a?)
>>
>> So I've got:
>>
>> Description: wireless sniffing and monitoring - core
>> Kismet is an 802.11 layer-2 wireless network detector, sniffer, and
>> intrusion detection system. It will work with any wireless card that
>> supports raw monitoring (rfmon) mode, and can sniff 802.11a, 802.11b,
>> 802.11g, and 802.11n traffic.
>
> Isn't there a way to group the protocols like 802.11abgn or it seems
> too technical?
> I saw this kind of presentation for supported protocols of wireless cards.
Wifi hardware manufacturers certainly use codes like 802.11abg to
label multi-mode devices, but in principle a new amended standard
might come out with a name like 802.11ag, so I would feel safer
using "802.11a/b/g/n".
>> * I'm not convinced "speak out" works as a transitive verb like
>> this, though it's hard to find an alternative;
I've worked out what the alternative was: "read out" (or "read
aloud").
Revised version attached.
Oh, I forgot to add my traditional Why The Name footnote. README
§18 says: "I really just [...] clicked through a thesaurus until I
found a word that wasn't used in any other OSS projects".
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff -ru old/control new/control
--- old/control 2012-11-06 11:16:34.222725429 +0000
+++ new/control 2012-11-07 17:43:54.822723788 +0000
@@ -12,37 +12,35 @@
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libcap2-bin
Suggests: kismet-plugins, festival, gpsd
-Description: Wireless sniffing and monitoring - core
- Kismet is an 802.11 layer2 wireless network detector, sniffer, and
- intrusion detection system. It will work with any wireless card
- that supports raw monitoring (rfmon) mode and can sniff 802.11b,
- 802.11a, and 802.11g traffic.
+Description: wireless sniffer and monitor - core
+ Kismet is an 802.11 layer-2 wireless network detector, sniffer, and
+ intrusion detection system. It will work with any wireless card that
+ supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n
+ traffic.
.
- It can use festival to play audio alarms for network events,
- can speak out network summary on discovery, and optionally works with
- gpsd to map scanning.
+ It can use other programs to play audio alarms for network events,
+ read out network summaries, or provide GPS coordinates.
.
- This is the main package containing the core, client and server.
+ This is the main package containing the core, client, and server.
Package: kismet-plugins
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, kismet(= ${binary:Version})
Enhances: kismet
-Description: Wireless sniffing and monitoring - plugins
- Kismet is an 802.11 layer2 wireless network detector, sniffer, and
- intrusion detection system. It will work with any wireless card
- that supports raw monitoring (rfmon) mode and can sniff 802.11b,
- 802.11a, and 802.11g traffic.
+Description: wireless sniffer and monitor - plugins
+ Kismet is an 802.11 layer-2 wireless network detector, sniffer, and
+ intrusion detection system. It will work with any wireless card that
+ supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n
+ traffic.
.
- It can use festival to play audio alarms for network events,
- can speak out network summary on discovery, and optionally works with
- gpsd to map scanning.
+ It can use other programs to play audio alarms for network events,
+ read out network summaries, or provide GPS coordinates.
.
- This package contains the following extra plugins for kismet:
- autowep: Easily detect the WEP key from BSSID and SSID
- btscan: Basic scan support for Bluetooth, aka 802.15.1
- dot15d4: Support for 802.15.4 protocol
- ptw: Performs the Aircrack-NG PTW attack against data captured by Kismet
- spectools: Links to the Spectools spectrum analyzer network export
+ This package provides the following extra plugins for Kismet:
+ * autowep: detects the WEP key from BSSID and SSID;
+ * btscan: basic scan support for the 802.15.1 (Bluetooth) protocol;
+ * dot15d4: support for the 802.15.4 Personal Area Network protocol;
+ * ptw: performs the Aircrack-NG PTW attack against captured data;
+ * spectools: imports data from the spectools spectrum analyzer.
diff -ru old/kismet.templates new/kismet.templates
--- old/kismet.templates 2012-11-06 11:16:35.450724020 +0000
+++ new/kismet.templates 2012-11-07 17:20:44.458723861 +0000
@@ -2,31 +2,30 @@
Template: kismet/install-setuid
Type: boolean
Default: true
-_Description: Should Kismet be installed to run with setuid privs?
- Kismet can be installed as setuid (recommended) or as standard (root required).
- Running Kismet as setuid is recommended over running it as root, because
- most parts of Kismet (such as the UI and the parts that decode packets) will
- not run with elevated privileges, reducing the risk of bugs leading to
- system-wide harm.
+_Description: Install Kismet "setuid root"?
+ Kismet needs root privileges for some of its functions. However, running it
+ as root ("sudo kismet") is not recommended, since running all of the code
+ with elevated privileges increases the risk of bugs doing system-wide
+ damage. Instead Kismet can be installed with the "setuid" bit set, which
+ will allow it to grant these privileges automatically to the processes that
+ need them, excluding the user interface and packet decoding parts.
.
- For more detailed information, please see the "Suidroot & Security" section
- of the Kismet README at:
- http://www.kismetwireless.net/README
- or
- /usr/share/doc/kismet/README
+ Enabling this feature allows users in the "kismet" group to run Kismet
+ (and capture packets, change wireless card state, etc), so only thoroughly
+ trusted users should not be granted membership of the group.
.
- Enabling this feature allows users in the 'kismet' group to run Kismet (and
- capture packets, change wireless card state, etc). Do NOT enable setuid
- Kismet if you have untrusted users on your system.
- .
- Most users running Kismet on personal laptops should install it as setuid.
+ For more detailed information, see section 4 of the Kismet README
+ ("Suidroot & Security"), which can be found at
+ /usr/share/doc/kismet/README or "http://www.kismetwireless.net/README";.
Template: kismet/install-users
Type: string
_Description: Users to add to the kismet group
- Only users in the kismet group are able to use kismet under the setuid model.
+ Only users in the kismet group are able to use kismet under the setuid
+ model.
.
- List users, separated by spaces, to be added to the group.
+ Please specify the users to be added to the group, as a
+ space-separated list.
.
- NOTE: After adding users to a group, typically they must log out and log in
- again before the group is recognized.
+ Note that currently logged-in users who are added to a group will
+ typically need to log out and log in again before it is recognized.
Template: kismet/install-setuid
Type: boolean
Default: true
_Description: Install Kismet "setuid root"?
Kismet needs root privileges for some of its functions. However, running it
as root ("sudo kismet") is not recommended, since running all of the code
with elevated privileges increases the risk of bugs doing system-wide
damage. Instead Kismet can be installed with the "setuid" bit set, which
will allow it to grant these privileges automatically to the processes that
need them, excluding the user interface and packet decoding parts.
.
Enabling this feature allows users in the "kismet" group to run Kismet
(and capture packets, change wireless card state, etc), so only thoroughly
trusted users should not be granted membership of the group.
.
For more detailed information, see section 4 of the Kismet README
("Suidroot & Security"), which can be found at
/usr/share/doc/kismet/README or "http://www.kismetwireless.net/README";.
Template: kismet/install-users
Type: string
_Description: Users to add to the kismet group
Only users in the kismet group are able to use kismet under the setuid
model.
.
Please specify the users to be added to the group, as a
space-separated list.
.
Note that currently logged-in users who are added to a group will
typically need to log out and log in again before it is recognized.
Source: kismet
Section: net
Priority: optional
Homepage: http://www.kismetwireless.net/
Maintainer: Nick Andrik <nick.andrik@gmail.com>
Build-Depends: cdbs, debhelper(>=8), po-debconf, autotools-dev,
libncurses5-dev, libpcap-dev, libpcre3-dev, libcap-dev, libnl2-dev,
pkg-config, libbluetooth-dev, libusb-dev, libssl-dev
Standards-Version: 3.9.4
Package: kismet
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libcap2-bin
Suggests: kismet-plugins, festival, gpsd
Description: wireless sniffer and monitor - core
Kismet is an 802.11 layer-2 wireless network detector, sniffer, and
intrusion detection system. It will work with any wireless card that
supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n
traffic.
.
It can use other programs to play audio alarms for network events,
read out network summaries, or provide GPS coordinates.
.
This is the main package containing the core, client, and server.
Package: kismet-plugins
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, kismet(= ${binary:Version})
Enhances: kismet
Description: wireless sniffer and monitor - plugins
Kismet is an 802.11 layer-2 wireless network detector, sniffer, and
intrusion detection system. It will work with any wireless card that
supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n
traffic.
.
It can use other programs to play audio alarms for network events,
read out network summaries, or provide GPS coordinates.
.
This package provides the following extra plugins for Kismet:
* autowep: detects the WEP key from BSSID and SSID;
* btscan: basic scan support for the 802.15.1 (Bluetooth) protocol;
* dot15d4: support for the 802.15.4 Personal Area Network protocol;
* ptw: performs the Aircrack-NG PTW attack against captured data;
* spectools: imports data from the spectools spectrum analyzer.
Reply to: