wireshark must be run as root unless wireshark-common is reconfigured

Bug #513903 reported by Captain Chaos on 2010-01-28
424
This bug affects 34 people
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: wireshark

If I run wireshark as a normal user, I can't select a capture interface and it doesn't work. According to bug #287099, wireshark needs to be run as root. If that really is the case it should be installed in the menu with gksu, just like all the other tools in the menu that need root privileges.

However, if you run wireshark as root, it complains: "Running as user "root" and group "root". This could be dangerous". Apparently, you are not meant to run wireshark as root. This message is confusing and inconsistent. Apparently Ubuntu currently provides no way to run wireshark correctly out of the box. It either doesn't work, or complains about running as root.

I agree that running a complex tool like wireshark as root is not a good idea. Furthermore, the wireshark documentation says so too, and provides several ways of running wireshark as a non-root user: http://wiki.wireshark.org/CaptureSetup/CapturePrivileges.

I've tested the instructions under "limiting capture permissions to only one group", and they work perfectly. I can now capture packets as a normal user, without having to run wireshark as root.

I propose that this mechanism is implemented for the Ubuntu wireshark package, so that normal users (after having been added to the wireshark group) can capture packets out of the box, without warnings about running as root.

ProblemType: Bug
Architecture: amd64
Date: Thu Jan 28 18:29:01 2010
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
NonfreeKernelModules: nvidia
Package: wireshark 1.2.2-2
ProcVersionSignature: Ubuntu 2.6.31-17.54-generic
SourcePackage: wireshark
Uname: Linux 2.6.31-17-generic x86_64

Captain Chaos (launchpad-chaos) wrote :
visibility: private → public
Changed in wireshark (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
spinkham (steve-pinkham) wrote :

Fixed in Debian as of package version 1.2.6-2, one version after the one currently in Lucid.
See changelog here: http://packages.debian.org/changelogs/pool/main/w/wireshark/wireshark_1.2.6-5/changelog

Richard Laager (rlaager) wrote :

Awesome. However, when the newer package is synced from Debian, would it be better for Ubuntu to change GROUP=wireshark to GROUP=admin in wireshark-common.postinst?

Balint Reczey (rbalint) wrote :

Please don't.
Keeping the separate group allows finer grained security control.

Brian Rogers (brian-rogers) wrote :

The change is in Lucid now, but I don't see what to do to enable packet capture as a user. There's no group named 'wireshark'.

On 2010-04-27 12:08, Brian Rogers wrote:
> The change is in Lucid now, but I don't see what to do to enable packet
> capture as a user. There's no group named 'wireshark'.

for a single-user system you can give the "dumpcap" program (which is
what wireshark uses to capture network traffic) the rights to read
network traffic using this command:

sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

this should work on lucid without the need to create a group

The debian change is indeed present in lucid. The wireshark-common postinst script is now capable of running these commands:

  addgroup --quiet --system wireshark
  chown root:wireshark /usr/bin/dumpcap
  setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

However, those commands are only run if the debconf database contains a wireshark-common/install-setuid entry that is is not "false", and in ubuntu, no such entry is created upon installation. I just purged and re-installed to be sure.

It seems the user is expected to somehow guess that wireshark will only capture for non-root users if dpkg/synaptic is run manually to configure the wireshark-common package. That is a lot to ask of anyone who isn't a wireshark package maintainer. There is a short, non-obvious note buried in the /usr/share/doc/wireshark-common:

   "The installation method can be changed any time by running:
   dpkg-reconfigure wireshark-common"

However, I still see some information discovery problems here:

- Even someone knowledgeable enough to look in /usr/share/doc would probably expect this information to be in the readme for wireshark, and could easily miss the one for wireshark-common.

- Even if they did manage to find the critical readme, they could easily overlook that short note, because it is not worded clearly enough to be an obvious solution to the problem they're trying to solve.

- Even if they finally figure out that reconfiguring the package might be the answer, the debconf prompt is misleading and warns them away from this. It asks if dumpcap should be installed "setuid root" (which is not what actually happens) and the help text warns of a security risk (which doesn't actually exist because setcap is used instead of setuid, and only for users manually added to the wireshark group).

I think we would be doing our wireshark users a service to improve this situation. A few things that could help:

- Run addgroup/setcap by default (don't require the user do go on a debconf hunt to make it happen).
- Update the debconf text to reflect what is really going on (setcap, not setuid).
- Document the use of the wireshark group in the wireshark readme.

Forest (foresto) wrote :

To other users who are trying to find an immediate fix:

Upgrade to lucid, reconfigure the wireshark-common package (using dpkg-reconfigure or synaptic), add yourself to the newly created wireshark group, log out and back in (to apply your new group membership).

NT Man (mikhail-v-gavrilov) wrote :

Why couldn't do this by default?

Malte S. Stretz (mss) on 2010-09-09
summary: - Must be run as root, which is not secure
+ wireshark must be run as root unless wireshark-common is reconfigured
Guy Harris (guyharris) wrote :

If you're going to create a group for this, give it a neutral name rather than a Wireshark-specific name; this doesn't just apply to Wireshark, it applies to any other program that either directly opens PF_PACKET/SOCK_RAW sockets or that calls libpcap to do so, e.g. tcpdump.

On OS X, the Wireshark installation package creates an "access_bpf" group; as Linux doesn't use /dev/bpf* devices, that name wouldn't make sense, but a similar name might make sense.

TJ (tj) wrote :

This issue is still biting on Precise LTS.

The solution isn't easily found even when reading the document referred to when starting Wireshark as root ("/usr/share/doc/wireshark-common/README.Debian").

 sudo dpkg-reconfigure wireshark-common

Answer 'yes' to "Should non-superusers be able to capture packets?"

Then add the user account(s) to the now-created "wireshark" group (replace $USER with the user account name):

  sudo adduser $USER wireshark

Log-out completely and log-in again for the new group membership to be recognised.

Start "Wireshark" without using gksudo/gksu/sudo.

Evan Huus (eapache) wrote :

I just reread the README.debian file and didn't find it particularly non-obvious. The very first thing it does is say that there are two ways of getting permissions to capture packets. It then lists those two ways (explicitly mentioning which is default) and says that to switch between them you have to run the dpkg-reconfigure command.

I admit it could probably be more friendly, but I don't think it's exactly obtuse in its current form.

Vangelis Tasoulas (cyberang3l) wrote :

The automated way to fix it using dpkg-reconfigure wireshark-common is not working for me on 13.04.

I have to run the following commands:
$ sudo -s
$ groupadd wireshark
$ usermod -a -G wireshark <yourUserName>
$ apt-get install pcaputils
$ chgrp wireshark /usr/bin/dumpcap
$ chmod 750 /usr/bin/dumpcap
$ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Note: I had wireshark working already by running these commands in my 12.10 installation. After the upgrade to 13.04 wireshark stopped working for simple users again and I had to run only the last 4 commands as the group wireshark already existed.

Balint Reczey (rbalint) wrote :

@Vangelis:
I have no available 13.04 installation, but the packages in Debian work fine.

Why do you think that it does not work?

Please run the following commands to test the automated method:

apt-get purge wireshark-common
groupdel wireshark
apt-get install wireshark
dpkg-reconfigure wireshark-common

If the fix is still not applied, please copy any error message or symptom you face.

Balint Reczey (rbalint) wrote :

@Vangelis: note that the wireshark group needs to be a system group

Vangelis Tasoulas (cyberang3l) wrote :

@Balint:
Sorry for the late reply but I was not subscribed to the notifications of this bug.

Thanks for pointing out that the wireshark needs to be a system group. For me it wasn't.

I just run the 4 commands you provided and it worked well :)

Balint Reczey (rbalint) wrote :

@Vangelis:
Great!
From wireshark 10.0.0-3 the postinst script will emit a warning if the wireshark group is not a system group.

Vadim Peretokin (vperetokin) wrote :

Doing dpkg-reconfigure wireshark-common didn't fix it for me (Wireshark told me Couldn't run /usr/bin/dumpcap in child process: Permission denied). Following the instructions at http://ubuntuforums.org/showthread.php?t=2039978&p=12161999#post12161999 did fix it.

Balint Reczey (rbalint) wrote :

@Vadim: Please don't spread possibly (in this case 100%) wrong suggestions spread on random forums.
If you had problems setting up the Ubuntu wireshark package please ask for advice here, on the official bug tracker instead.
If you undo everything you did manually (hint: sudo apt-get purge wireshark-common && apt-get install wireshark) and follow /usr/share/doc/wireshark-common/README.Debian carefully you should be able to set up wireshark properly. If you don't succeed, we will help you debug the problem and in case there is a packaging bug we will also fix it.

Alberto Jovito (thedemon007) wrote :

I reproduced in ubuntu 12.04:

$sudo apt-get install wireshark
$ sudo su
# groupadd wireshark
# exit
sudo apt-get purge wireshark-common

fixed with
sudo delgroup wireshark

Alberto Jovito (thedemon007) wrote :

Sorry the comment was not for this bug if not this bug #530443

Balint Reczey (rbalint) wrote :

@Alberto: please use 'groupadd -s wireshark' instead. It must be a system group.

Scott Palmer (skewty) wrote :

I am having this issue in Ubuntu Desktop 16.04.

Steps to Reproduce:

1) Do a fresh install of Ubuntu Desktop 16.04.
2) # sudo apt install wireshark
3) answer yes to allow non-root users to do packet captures.
4) # wireshark
5) Observe the "Couldn't run /usr/bin/dumpcap in child process: Permission denied" message.

Balint Reczey (rbalint) wrote :

...
 3) answer yes to allow non-root users to do packet captures.

Have you noticed that the question mentions a README.Debian file?:

_Description: Should non-superusers be able to capture packets?
 Dumpcap can be installed in a way that allows members of the "wireshark"
 system group to capture packets. This is recommended over the
 alternative of running Wireshark/Tshark directly as root, because
 less of the code will run with elevated privileges.
 .
 For more detailed information please see
 /usr/share/doc/wireshark-common/README.Debian.
 .
 Enabling this feature may be a security risk, so it is disabled by
 default. If in doubt, it is suggested to leave it disabled.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related questions