Ubuntu
wireshark package

Bug #513903
Comment #7

Comment 7 for bug 513903

Revision history for this message

Forest (foresto) wrote on 2010-06-02: Re: Must be run as root, which is not secure

The debian change is indeed present in lucid. The wireshark-common postinst script is now capable of running these commands:

  addgroup --quiet --system wireshark
  chown root:wireshark /usr/bin/dumpcap
  setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

However, those commands are only run if the debconf database contains a wireshark-common/install-setuid entry that is is not "false", and in ubuntu, no such entry is created upon installation. I just purged and re-installed to be sure.

It seems the user is expected to somehow guess that wireshark will only capture for non-root users if dpkg/synaptic is run manually to configure the wireshark-common package. That is a lot to ask of anyone who isn't a wireshark package maintainer. There is a short, non-obvious note buried in the /usr/share/doc/wireshark-common:

"The installation method can be changed any time by running:
dpkg-reconfigure wireshark-common"

However, I still see some information discovery problems here:

- Even someone knowledgeable enough to look in /usr/share/doc would probably expect this information to be in the readme for wireshark, and could easily miss the one for wireshark-common.

- Even if they did manage to find the critical readme, they could easily overlook that short note, because it is not worded clearly enough to be an obvious solution to the problem they're trying to solve.

- Even if they finally figure out that reconfiguring the package might be the answer, the debconf prompt is misleading and warns them away from this. It asks if dumpcap should be installed "setuid root" (which is not what actually happens) and the help text warns of a security risk (which doesn't actually exist because setcap is used instead of setuid, and only for users manually added to the wireshark group).

I think we would be doing our wireshark users a service to improve this situation. A few things that could help:

- Run addgroup/setcap by default (don't require the user do go on a debconf hunt to make it happen).
- Update the debconf text to reflect what is really going on (setcap, not setuid).
- Document the use of the wireshark group in the wireshark readme.

The debian change is indeed present in lucid.  The wireshark-common postinst script is now capable of running these commands:

addgroup --quiet --system wireshark
  chown root:wireshark /usr/bin/dumpcap
  setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

It seems the user is expected to somehow guess that wireshark will only capture for non-root users if dpkg/synaptic is run manually to configure the wireshark-common package.  That is a lot to ask of anyone who isn't a wireshark package maintainer.  There is a short, non-obvious note buried in the /usr/share/doc/wireshark-common:

"The installation method can be changed any time by running:
   dpkg-reconfigure wireshark-common"

However, I still see some information discovery problems here:

- Even someone knowledgeable enough to look in /usr/share/doc would probably expect this information to be in the readme for wireshark, and could easily miss the one for wireshark-common.

- Even if they finally figure out that reconfiguring the package might be the answer, the debconf prompt is misleading and warns them away from this.  It asks if dumpcap should be installed "setuid root" (which is not what actually happens) and the help text warns of a security risk (which doesn't actually exist because setcap is used instead of setuid, and only for users manually added to the wireshark group).

I think we would be doing our wireshark users a service to improve this situation.  A few things that could help:

Ubuntuwireshark package

Comment 7 for bug 513903

Ubuntu
wireshark package