Wireshark-dev: Re: [Wireshark-dev] [Fwd: [Wireshark-bugs] [Bug 1741] New: Privilege separation
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 16 Aug 2007 09:47:04 -0700
Jeff Morriss wrote:

tcpdump and commercial sniffer products probably need root access and are reading from the network, but I'm not sure tcpdump counts as "big"

It's not as big as Wireshark, but it *has* had its own problems with code vulnerable to malicious packets.

It will, before opening a capture file to read, and after opening a capture device on which to do a live capture, drop privileges to run with the real user and group ID.

and I know nothing of commercial sniffers.

Most of 'em run on Windows, and thus come with a driver of some sort to support capturing; I suspect they arrange that either anybody, administrators, or the user who installed the sniffer can open the device, so it runs as the user.

One that used to run on a UN*X was EtherPeek for OS X; according to the manual I have, when you started it, it popped up a dialog with a list of adapters, and required you to click an "unlock" button to capture on the selected adapter. That opened a dialog asking for an administrator's password. I *suspect* that caused it to run a program or script as root; if so, it might have changed the BPF devices to be accessible by the user.