On 2014-04-07, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > previously on this list Stuart Henderson contributed: > >> > If a port is considered dangerous like wireshark was it >> > is removed to avoid encouraging it but users can still build it of >> > course. >> >> There's a problem with *not* having it in ports too, if people do compile >> it for themselves, considering how long the damn thing takes to build it's >> highly likely that they won't update it as often as if there were packages... >> >> And it's less bad now than it used to be - they don't do proper privilege >> separation like OpenBSD's tcpdump does, but at least it's now just the >> network capture part that runs as root, the packet dissectors now run as >> a normal uid. > > I thought it was the sheer number of parsing bugs, wouldn't dumpcap > suid have sorted that or have they built it in more finely and did > doing that just bring other insecurities?
It used to be that, in order to run live captures, you had to run the whole thing as root. Totally unsafe. Following the dumpcap split, the dissectors (which are still dangerous and untrustworthy) are run as a normal user. This is better than it used to be, though still not great; looking at the release notes for pretty much every version of wireshark ever released will show a number of security-related bugs in this area, this is difficult code to get right and is obviously handling untrusted data, and I think many users would run it as their normal user account. But then one could also say that about your average web browser.. Compare with the model used by OpenBSD's tcpdump - the dissectors are run in a child process, chrooted in an empty unwritable directory. (tcpdump.org's version is not as strong; they can chroot/drop privs, however this is done in a single process).
