Wireshark-bugs: [Wireshark-bugs] [Bug 2228] Stop capture doesn't work
Date: Sat, 22 Mar 2008 19:52:48 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2228


Bill Meier <wmeier@xxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|wmeier@xxxxxxxxxxx          |




--- Comment #15 from Bill Meier <wmeier@xxxxxxxxxxx>  2008-03-22 19:52:44 GMT ---
> Re comment #10, what happens if you disable libcap? Specifically, if dumpcap
> is running with ruid=<you> and euid=root, and its capability set hasn't 
> changed, can you kill it?

  Yes: It appears that if euid=0 the behaviour is as it was.
       So: Capture (dumpcap) can be stopped properly when not using libcap.

  My statement in comment #10 should have been:

     On my Fedora 8 ("out of the box") system: a 'normal' process
     (ruid=<xx>, euid=<xx> + no capabilities) can kill a related process
     as follows:

     can kill ?     Configuration     
     Yes            ruid=<xx> euid=<xx>  no capabilities 
     No             ruid=<xx> euid=<xx>  special capabilities 
     Yes            ruid=<xx> euid=<0>   no special capabilities 
     Yes            ruid=<xx> euid=<0>   special capabilities 


> I agree about the need to be able to kill dumpcap in case something
>  goes wrong.

  I've determined that the existing dumpcap -w does *not* relinquish the
  NET_RAW and NET_ADMIN capabilities after pcap_open_live was executed
  (when libcap is being used).

  So: I've changed the code slightly to do so (when using libcap).

  The effect is that "dumpcap -w" using libcap can't be killed (signaled)
  by the parent Wireshark only during the short interval until the 
  pcap_open_live is completed. After the capabilities are removed, the 
  capture can be stopped by Wireshark.

  Although this is not a perfect answer, I think it may be acceptable.
  (In the unlikely case that dumpcap were somehow to hang/loop 
  before relinquishing the capabilities, I think that exiting the parent
  Wireshark will terinate the dumpcap child).

  If this is not considered acceptable, then the solution is to leave
  euid=<0> until after pcap_open_live even when using libpcap.
  That is: drop both the suid and the special capabilities at that point.

  This is not as good as dropping the suid immediately but is better than
  suid without libcap.

  ------

  I'm going to leave this bug as Open until people have had time to 
  test the fix/work_around on various Linux distros.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.