0

[tjm@ArchPad bin]$ LANG=en [tjm@ArchPad bin]$ pwd /usr/bin [tjm@ArchPad bin]$ ll | grep wireshark -rwxr-x--- 1 root wireshark 88K Apr 25 00:22 dumpcap -rwxr-xr-x 1 root wireshark 2.0M Apr 25 00:23 wireshark-gtk [tjm@ArchPad bin]$ groups `whoami` wheel wireshark users [tjm@ArchPad bin]$

With command sudo -G wireshark wireshark-gtk, I can start wireshark-gtk and listen with out any problems.

But, if I simply run wireshark-gtk it says that :

Could not run /usr/bin/dumpcap in child process: Permission denied.

So, it is availible to set a group priority, which means that if I (the user) have a group id same as a file, and the file has been set group prority, I will run this file in this group id without sudo -G?

By the way, setgid is not what I want, for it is not safe and anyone can run this file with group privilege.

MelBurslan
  • 6,836
  • 2
  • 24
  • 35
TJM
  • 534
  • 5
  • 12
  • I still could not understand fully: do you want safer or easier solution? Setting file setgid which is executable only by `wireshark` group members looks much easier and does not require `sudo` usage. Try this: `chmod 2710 /usr/bin/dumpcap`. Maybe I just do not understand something. –  Apr 27 '16 at 16:48
  • 1. Is that supposed to be "sudo -g" (lower-case)? 2. does `newgrp wireshark; wireshark-gtk` allow you to do what you want without sudo? – Jeff Schaller Apr 27 '16 at 16:57
  • I somehow managed to mess with setuid/setgid. Of course `chmod 4710 /usr/bin/dumpcap`. Time to sleep. –  Apr 27 '16 at 17:20

3 Answers3

1

If you will set /usr/bin/dumpcap setuid without others but members of wireshark group being able to run it, then this setuid setting is safe. Then you just add yourself to wireshark group with usermod -aG wireshark $(whoami) and you're done.

To setuid it in this way, do chgrp wireshark /usr/bin/dumpcap; chmod 4710 /usr/bin/dumpcap

Btw sudo is not suitable for arbitrary permissions manipulation. Consider using modern tools for this purpose, if you still want not to use setuid on file.

  • I just consider that if I setgid to dumpcap, anyone can run dumpcap and listen my net interface, which make my computer unsafe. – TJM Apr 28 '16 at 06:48
  • How they could run dumpcap if it will be only available to members of `wireshark` group? Or you want to password protect it through sudo? –  Apr 28 '16 at 06:56
  • Isn't setgid means anyone can run this file with the file's gid? Setgid does not mean only with same group can run this file. – TJM Apr 28 '16 at 07:00
  • To successfully enumerate network devices and capture packets, `dumpcap` needs not setgid, but setuid root to work. Also, binary can be setuid/setgid and only runnable by owner/group members of binary, if you will restrict others (`chmod o-rwx`) to run it. –  Apr 28 '16 at 09:28
1

What does id say?

If you've just now added yourself to the wireshark group, I think you will need to log out and back in again.

(Point found by googling the error message).

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • I remember OS X `id` lied to me about _current_ groups, taking information from db instead. OP's question is about Linux, but `id` output maybe not be always portable. –  Apr 27 '16 at 16:52
  • @siblynx Weird. I went from the Linux manpage "id - print real and effective user and group IDs". Sounds like OS X is not POSIX compliant, despite being based on existing BSD code. http://pubs.opengroup.org/onlinepubs/9699919799/utilities/id.html – sourcejedi Apr 27 '16 at 17:21
  • 1
    Yes, exactly as I described. I remember this because I've lost a night trying to figure out why access was still denied. I blindly trusted `id` output without arguments. –  Apr 27 '16 at 17:23
  • I reboot my Laptop and then it works! – TJM Apr 28 '16 at 06:58
0

“Group priority” is not a common term. I think you mean the choice of group that is used for filesystem lookups. There is no such thing, or to put it another way, all groups have “group priority”: if a file belongs to a group (but not to your user), and you are in that group, then you get the group permissions, no matter whether the group is your primary group or a supplementary group.

If you are in the wireshark group, then you can run /usr/bin/dumpcap.

The output of ``groups whoami``` shows that your user account is in thewiresharkgroup, but it doesn't show that your *session* is in thewiresharkgroup. To test that, rungroupswith no arguments, orid`. Group membership is applied when you log in. If you've just added yourself to the group, you need to log out and back in. See I added a user to a group, but group permissions on files still have no effect

Community
  • 1
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175