cannot perform packet captures as a regular user

Bug #483106 reported by Andrew
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
wireshark (Debian)
Won't Fix
Unknown
wireshark (Ubuntu)
Confirmed
Wishlist
Unassigned
Nominated for Lucid by Jared Luxenberg

Bug Description

Binary package hint: wireshark

It is imposible to use wireshark from non-superuser account.

Regular user accounts have not enough right that's why user should use sudo or su and this is unsafe. For example after update to carmic I have application freeze when I try to start capture. I started application from root that's why wireshark make freeze all system.

My proposal: Please create wireshark group with enough rights for application work. Like on Gentoo. It will more useful than sudo etc.

Thanks a lot.

Kees Cook (kees)
security vulnerability: yes → no
visibility: private → public
summary: - Usage Wireshark is unsafe
+ cannot perform packet captures as a regular user
Changed in wireshark (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Balint Reczey (rbalint) wrote :
Revision history for this message
Cliff (klfjoat) wrote :

This issue, as well as its fix, has been in Brainstorm for over a year. It's a simple, security-minded fix. To quote from there...

Wireshark's developers strongly recommend against running as root. As of 9.10, Wireshark installs to menu with no root option, making it useless.

Installing the small dumpcap binary from wireshark-common suid root allows users to run wireshark itself, with all its complexety, as unprivileged users, thus possibly enhancing security.

sudo chgrp GROUPNAME /usr/bin/dumpcap
sudo chmod 4750 /usr/bin/dumpcap

http://brainstorm.ubuntu.com/idea/14140/

I have set the group on my machine to "admin", but a new "wireshark" group makes sense, too.

Changed in wireshark (Debian):
status: Unknown → Won't Fix
Revision history for this message
Balint Reczey (rbalint) wrote :

Copying README.Debian [0] here:
Capturing packets with Wireshark/Tshark

There are two ways of installing Wireshark/Tshark on Debian:

I. Installing dumpcap with SETUID bit set

Members of group wireshark will be able to capture packets on network
interfaces. This is the preferred way of installation if Wireshark/Tshark
will be used for capturing and displaying packets at the same time, since
that way only the dumpcap process has to be run with root privileges
thanks to the privilege separation[1].

Note that no user will be added to group wireshark automatically, the system
administrator has to add them manually.

II. Installing dumpcap without SETUID bit set

Only root user will be able to capture packets. It is advised to capture
packets with the bundled dumpcap program as root and then run Wireshark/Tshark
as an ordinary user to analyze the captured logs. [2]

The installation method can be changed anytime by running:
dpkg-reconfigure wireshark-common

[1] http://wiki.wireshark.org/Development/PrivilegeSeparation
[2] http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

[0] http://svn.debian.org/wsvn/collab-maint/ext-maint/wireshark/trunk/debian/README.Debian

Revision history for this message
Martin Olsson (mnemo) wrote :

It would be sweet to have this for Lucid.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.