From efafca71a338b4b938fea68429ea6871f9371673 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Mon, 30 Jun 2014 16:11:58 -0700 Subject: [PATCH] Drop privileges very early on. TShark relies on dumpcap to capture packets, and TFShark doesn't even do packet capturing (it dissects files, not network traffic), so neither of them need, or should run with, special privileges. If you *must* run with special privileges in order to capture, grant those privileges to dumpcap, which has a *lot* fewer lines of code than libwireshark and TShark/TFShark. Change-Id: I8f8fedead355ca163895e025df37240d2f232ba4 Reviewed-on: https://code.wireshark.org/review/2736 Reviewed-by: Guy Harris --- tfshark.c | 14 +++++--------- tshark.c | 39 +++++---------------------------------- 2 files changed, 10 insertions(+), 43 deletions(-) diff --git a/tfshark.c b/tfshark.c index 0bbb77274d..7fef9a6bf3 100644 --- a/tfshark.c +++ b/tfshark.c @@ -821,9 +821,13 @@ main(int argc, char *argv[]) #endif /* _WIN32 */ /* - * Get credential information for later use. + * Get credential information for later use, and drop privileges + * before doing anything else. + * Let the user know if anything happened. */ init_process_policies(); + relinquish_special_privs_perm(); + print_current_user(); /* * Attempt to get the pathname of the executable file. @@ -1427,14 +1431,6 @@ main(int argc, char *argv[]) * We're reading a capture file. */ - /* - * Immediately relinquish any special privileges we have; we must not - * be allowed to read any capture files the user running TShark - * can't open. - */ - relinquish_special_privs_perm(); - print_current_user(); - /* TODO: if tfshark is ever changed to give the user a choice of which open_routine reader to use, then the following needs to change. */ if (cf_open(&cfile, cf_name, WTAP_TYPE_AUTO, FALSE, &err) != CF_OK) { diff --git a/tshark.c b/tshark.c index 5e5641dbca..ced2908401 100644 --- a/tshark.c +++ b/tshark.c @@ -1040,9 +1040,13 @@ main(int argc, char *argv[]) #endif /* _WIN32 */ /* - * Get credential information for later use. + * Get credential information for later use, and drop privileges + * before doing anything else. + * Let the user know if anything happened. */ init_process_policies(); + relinquish_special_privs_perm(); + print_current_user(); /* * Attempt to get the pathname of the executable file. @@ -2058,15 +2062,6 @@ main(int argc, char *argv[]) /* * We're reading a capture file. */ - - /* - * Immediately relinquish any special privileges we have; we must not - * be allowed to read any capture files the user running TShark - * can't open. - */ - relinquish_special_privs_perm(); - print_current_user(); - if (cf_open(&cfile, cf_name, in_file_type, FALSE, &err) != CF_OK) { epan_cleanup(); return 2; @@ -2407,30 +2402,6 @@ capture(void) struct sigaction action, oldaction; #endif - /* - * XXX - dropping privileges is still required, until code cleanup is done - * - * remove all dependencies to pcap specific code and using only dumpcap is almost done. - * when it's done, we don't need special privileges to run tshark at all, - * therefore we don't need to drop these privileges - * The only thing we might want to keep is a warning if tshark is run as root, - * as it's no longer necessary and potentially dangerous. - * - * THE FOLLOWING IS THE FORMER COMMENT WHICH IS NO LONGER REALLY VALID: - * We've opened the capture device, so we shouldn't need any special - * privileges any more; relinquish those privileges. - * - * XXX - if we have saved set-user-ID support, we should give up those - * privileges immediately, and then reclaim them long enough to get - * a list of network interfaces and to open one, and then give them - * up again, so that stuff we do while processing the argument list, - * reading the user's preferences, loading and starting plugins - * (especially *user* plugins), etc. is done with the user's privileges, - * not special privileges. - */ - relinquish_special_privs_perm(); - print_current_user(); - /* Create new dissection section. */ epan_free(cfile.epan); cfile.epan = tshark_epan_new(&cfile);