[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: On Wireshark and network capture in general

Maybe we can offer something via debconf during installation to ask
users if they'd like non-root users to access dumpcap. But I guess the
question there is to determine how to provide access to dumpcap (there
were some great ideas discussed above).

Having the GUI run as non-root sounds like a great idea to me, the
less code running setuid 0 the better. And that means the GUI will be
useful for analyzing things that have already been captured, as Mike
mentioned, and you won't need root for that.

So some sort of wrapper when users attempt to launch captures, perhaps
something like gksu to get permission for dumpcap...

On Fri, Jun 19, 2009 at 9:29 AM, Michael Stone<mstone@debian.org> wrote:
> On Fri, Jun 19, 2009 at 01:56:05PM +0200, Josselin Mouette wrote:
>> Le vendredi 19 juin 2009 à 12:54 +0200, Jaap Keuter a écrit :
>>> > What I've noticed is that Debian (still) requires the user to run
>>> > Wireshark with root credentials in order to be able to launch a
>>> > network
>>> > capture. Otherwise the network interfaces won't even be visible.
>>> > This problem, running a massive GUI application with root
>>> > credentials, was
>>> > identified long ago and addressed as such. The core capture
>>> > functionality
>>> > was isolated in a capture child, so the rest (dissection, GUI, etc)
>>> > could
>>> > be run as a normal user. This only(ahem) requires the capture engine
>>> > (dumpcap) to be installed setuid root.
>> I think it’s just as bad an idea to launch dumpcap setuid root as it is
>> to launch the GUI as root.
> Definitely as default for the install. For many people the common case is to
> use wireshark to analyze captures taken by a different tool, and there's no
> reason for them to automatically have anything setuid to support that case.
> Mike Stone
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Reply to: