Granting Wireshark capture privileges does not allow USB capture

With a little testing I have been able to confirm this bug. I'll have to do further work to figure out the why, but it is definitely reproducible.

My apologies for the rather extensive delay. Other things came up, and it took me longer than I thought it would to figure out what was going on.

Short answer: running "sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_DAC_OVERRIDE+eip' /usr/bin/dumpcap" should grant you the ability to capture USB packets as non-root (as long as you're in the wireshark group, of course). This is a *workaround*, and is not-nice from a security perspective (although it's still better than running the whole of wireshark as root). More details are below the cut.

---

Running dpkg-reconfigure as you did simply automates the steps listed at [1] and [2]. This uses the linux capabilites subsystem [3] to grant the dumpcap program (the part of wireshark that actually does the capturing) the NET_RAW and NET_ADMIN capabilities so it can capture on network interfaces without full root privileges.

The USB capture component of dumpcap uses a different interface from the network capture, as the kernel exposes the two types of devices in different ways. The USB devices are exposed via the /dev/usbmonXXX device files, which are read/writable by root only. Setting the NET_* capabilities has no effect on dumpcap's ability to access those files.

Unfortunately, the only capability I've found that does grant dumpcap the ability to access those files is the DAC_OVERRIDE capability (DAC stands for Discretionary Access Control). With this capability, dumpcap can read/write to ANY file on the filesystem regardless of that file's permissions or owner. This means it can access the USB device files, but it also means it gets access to all the other dangerous files on the filesystem.

The optimal solution would be for Linux to provide more fine-grained capabilities so that it is possible to grant dumpcap USB access without all of the other dangerous stuff that comes with it. For now, it's understandable why Wireshark doesn't want to open up that security hole by default.

If anything is unclear, please don't hesitate to ask.

Evan

[1] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Setting_network_privileges_for_dumpcap
[2] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges#Limiting_capture_permission_to_only_one_group
[3] http://linux.die.net/man/7/capabilities

Evan: Thank you for the detailed explanation.

Paul: Not allowing capturing on USB to a regular user is intentional. Keep in mind that keyboards and storages can be attached via USB and in those cases the user would be allowed to read any file on the attached storage
or log keys. Wireshark 1.6.5-2 or 1.6.6-1 will contain an updated README.Debian covering capturing USB packets.

Closing this as opinion, as even if Linux were to offer more fine-grained security controls we might not use them (due to the security concerns Balint mentioned).

Similar arguments can be brought up against allowing a user to capture network traffic. So arguing against it - at least if there were a fine-grained option in the kernel - is not convincing, especially if it is disabled by default as the network privilege is ATM. And if there were such a capability then it would be obviously safer and better to run wireshark as non-root if you have to capture USB packets, which isn't too uncommon for hardware developers (I am in that situation right now ;). Hence this is *not* an opinion but a bug (not only in wireshark, but also/mainly in the kernel). Did anybody know what the kernel guys think about adding a finer-grained capability for this? I won't reopen the bug for now mainly because it does not make sense, if the Debian (and an Ubuntu) maintainer just not agrees with the above :) I encourage you to do so and add the kernel though.

@Stefan: I think if a system uses NAS , which would allow a user being able to capture netwok packets read files, the syste admin would not allow capturing network packets as normal users.

You can still allow normal users to capture USB packets using wireshark by setting the setuid bit on dumpcap and making this change permanent using dpkg-statoverride as suggested in README.Debian:

      Note that capturing USB packets is not enabled for non-root users by using
      Linux Capabilities. You have to capture the packets using the method
      described in I./a., setting the set-user-id permanently using
      dpkg-statoverride or running Wireshark as root.

This opens a security hole on the system as detailed above.

"I think if a system uses NAS…" I meant it more generally: information leaks on networks are so common that you can compare the thread level to that of a sniffable USB.

"This opens a security hole on the system as detailed above." That's exactly my point, this should not be needed, because it greatly increases the threat potential due to unnecessarily granted privileges. It is just a poor workaround for the missing capability setting in the kernel.