On Fri, Jun 19, 2009 at 12:54:48PM +0200, Jaap Keuter wrote: > I'm contacting you as I got thinking about network capture and the > security implications of that.
> What I've noticed is that Debian (still) requires the user to run > Wireshark with root credentials in order to be able to launch a > network capture. > The core capture functionality was isolated in a capture child, so > the rest (dissection, GUI, etc) could be run as a normal user. This > only(ahem) requires the capture engine (dumpcap) to be installed > setuid root. How about one of the following: - have the gui application (run as user) use gksu to launch dumpcap - a wrapper script that launches dumpcap as current effective user (expected to be root) and the gui as $SUDO_USER (hmmm... too specific to usage of sudo, bad idea). - a wrapper script that launches dumpcap through su/sudo and the gui "normally" - a wrapper application (not suid), expected to be launched as root, that fork()/exec()'s dumpcap and then drops all privileges and then exec()'s the gui? -- Lionel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
