Running Wireshark as non-root

Running Wireshark as non-root

[Petter]

Hi,

I'm trying to run Wireshark/Dumpcap as a non-root user. And not 
succeeding at that.


Now, first, I have not checked the official documentation of Wireshark 
as they're behind the
CloudFlare wall. (Issues...)


The error I get in Wireshark is:
> The capture session could not be initiated on interface 'lo' (You don't 
> have permission to
capture on that device).

> Please check to make sure you have sufficient permissions, and that you 
> have the proper interface or pipe specified.


 From what I gather it's not the Wireshark binary that needs a permission 
boost, but the program
"dumpcap".

The steps I'm trying to follow is along these lines:
`chmod 750 /usr/bin/dumpcap`
`chgrp wireshark /usr/bin/dumpcap`
`setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap`

(Using ~/.guix-profile/bin/dumpcap instead of /usr/bin/dumpcap)

This fails immediately because the store is mounted Read-Only.


I try to advance regardless by copying the dumpcap binary to my home 
folder. And I set the
capabilities. Verify with getcap - it should work now.

$ ls -l dumpcap
-rwxr-xr-x 1 petter users 730 Nov 22 10:23 dumpcap

$ getcap ./dumpcap
./dumpcap = cap_net_admin,cap_net_raw+eip


But no.

$ ./dumpcap -i lo
> Capturing on 'Loopback'
> dumpcap: The capture session could not be initiated on interface 'lo' 
> (You don't have
permission to capture on that device).
> Please check to make sure you have sufficient permissions, and that you 
> have the proper
interface or pipe specified.


Spider senses tells me this is more involved than what I'm able to see. 
Do any of you have
any experience with this or similar operations, especially use of 
`setcap`?


Also, I'm thinking it would make sense that Wireshark/Dumpcap where 
installed with a non-root
group and the necessary capabilities to run as a non-root user. So, 
users would just install and
add themselves to the correct group and be off sniffing packets.

$ getcap ~/.guix-profile/bin/dumpcap
$ ls -l ~/.guix-profile/bin/dumpcap
lrwxrwxrwx 5 root root 71 Jan  1  1970 
/home/petter/.guix-profile/bin/dumpcap -> /gnu/store
/bsnw8sm2dkg70j1s93sga53b082p9czv-wireshark-2.2.2/bin/dumpcap

I'd be happy to take a stab at trying this, but I'd like to know in 
advance if this is the way
forward.


Also, I'm very open to notion that I'm just not seeing the obvious 
solution right in front of
me :) I appreciate any help and insights!


Thanks,
Petter

Re: Running Wireshark as non-root

[Ludovic Courtès]

Hello!

Petter <petter@mykolab.ch> skribis:

> From what I gather it's not the Wireshark binary that needs a
> permission boost, but the program
> "dumpcap".
>
> The steps I'm trying to follow is along these lines:
> `chmod 750 /usr/bin/dumpcap`
> `chgrp wireshark /usr/bin/dumpcap`
> `setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap`
>
> (Using ~/.guix-profile/bin/dumpcap instead of /usr/bin/dumpcap)
>
> This fails immediately because the store is mounted Read-Only.

Right.  Linux “capabilities” are not supported in the store, so a
different mechanism is needed.

Since network interfaces do not have an entry in the file system, I
think we’re left with sudo and setuid.

That is, if you’re on GuixSD, and if you want to allow all the users on
that machine to use Wireshark, you can add it to the ‘setuid-programs’
field of the configuration, which will make it setuid-root (beware!).

Otherwise, if it’s a single-user machine, I’d recommend
“sudo wireshark”.

> Also, I'm thinking it would make sense that Wireshark/Dumpcap where
> installed with a non-root
> group and the necessary capabilities to run as a non-root user. So,
> users would just install and
> add themselves to the correct group and be off sniffing packets.

Storing capabilities or setuid bits in the store would break the whole
security model: anyone could populate the store with software that
chooses its privileges, and you wouldn’t have a say.

HTH!

Ludo’.