Wireshark mailing list archives
Re: Wireshark on Kali linux
From: Peter Wu <peter () lekensteyn nl>
Date: Wed, 6 Feb 2019 14:06:22 +0100
On Wed, Feb 06, 2019 at 12:46:20PM +0000, João Valverde wrote:
On 06/02/19 09:08, Dario Lombardo wrote:> This would mean that they'd have to build Wireshark differently from the default way it's built, using the "package for systems that run everything as root" option. That means a standard Debian package, built to run on a system where you *don't* run everything as root, so that you can leave the safety checks in place, won't be appropriate for Kali. I was thinking to something like maintaining a list of debian derivative that have just the root account (the version checked with lsb_release) and run something on them during the installation phase. > - use something else other than error() when disabling dofile() > (something that won't generate such a disruptive dialog window for example). That was my first try. Something like error -> warning, but I didn't find anything useful. Are you aware of something?I'm not aware of anything out-of-the-box. It would probably require some UX work in Qt to make this notification more user-friendly.
Any dialog would be equally annoying. Perhaps there is a way to push a statusbar message, but honestly I don't think Lua is the appropriate place to warn about some stupid behavior. So tshark already prints a warning when started as (setuid) root. The GUI does not. It could be modified to show a dialog, but it should probably also present a "Do not mention this again" checkbox for systems like Kali Linux where running everything as root is the norm.
I have some doubts about the effectiveness and usefulness of this Lua sandbox. I didn't investigate in depth but it seems enabling/disabling the Lua runtime instead would be better, as dictated by policy (whatever that policy is).
Setting "enable_lua = false" (formerly "disable_lua = true") already prevents further Lua code from being executed. Likewise when "run_user_scripts_when_superuser" is false and when started as root. I also question the utility of disabling the API, hence these patches: wslua: do not load console.lua when run as root https://code.wireshark.org/review/31912 wslua: do not partially disable the Lua API when run as root https://code.wireshark.org/review/31913 The first patch can be safely be backported and should fix the issue raised by Kali Linux users. Worst-case, it disables the GUI menu option, but it has no effect otherwise. The second patch removes the security theatre, but depends on the first patch to effectively restrict execution of arbitrary user-supplied code. It enables arbitrary execution of user-supplied code by default since those who execute "tshark -Xlua_script:foo.lua" as root user (or via sudo) will expect it to work. Finally, note that "started_with_special_privs()" also returns TRUE even if the current user has no more privileges. Even if the Wireshark or tshark executables were setuid root, these root privileges have already been dropped via "relinquish_special_privs_perm()", long before it ever gets to the Lua code. -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Lua error while running Wireshark as root (was: Re: Wireshark on Kali linux), (continued)
- Re: Wireshark on Kali linux Dario Lombardo (Feb 05)
- Re: Wireshark on Kali linux Guy Harris (Feb 05)
- Re: Wireshark on Kali linux Guy Harris (Feb 05)
- Re: Wireshark on Kali linux João Valverde (Feb 05)
- Re: Wireshark on Kali linux Dario Lombardo (Feb 06)
- Re: Wireshark on Kali linux João Valverde (Feb 06)
- Re: Wireshark on Kali linux Peter Wu (Feb 06)
- Re: Wireshark on Kali linux Guy Harris (Feb 06)
- Re: Wireshark on Kali linux Graham Bloice (Feb 06)
- Re: Wireshark on Kali linux Jasper Bongertz (Feb 07)
- Re: Wireshark on Kali linux Dario Lombardo (Feb 07)
- Re: Wireshark on Kali linux Graham Bloice (Feb 07)
- Re: Wireshark on Kali linux Jeff Morriss (Feb 12)