Bug 448584

Summary: Don't automatically use stored privileges
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: wiresharkAssignee: Radek Vokál <rvokal>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: mjc, security-response-team
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-01 15:34:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 461566, 461567, 461568, 461569, 461570, 833989    
Bug Blocks:    

Description Ulrich Drepper 2008-05-27 18:05:28 UTC
Description of problem:
Recently I had to start wireshark to look at a log file sent to me by somebody
else.  Prudence requires that I look at the files without wireshark having any
privileges.  But since I have shortly before started another application which
required privileges this funky privilege storing took over and I ended up with
automatically and to the inexperienced person unnoticeable using privileges.

That's a security problem.  What if the log contains an exploit for a buffer
overflow in wireshark itself?

wireshark should always at startup ask whether privileges are wanted.  If they
are wanted and the privileges are stored, no password needs to be entered.  But
the decision to use them must be made at every startup.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.store privileges by starting an application which adds them (potentially
wireshark itself).  If the latter, leave wireshark again.
2.start wireshark
Actual results:
no dialog asking whether privileges should be used

Expected results:
dialog asking whether privileges should be used.

Additional info:

Comment 1 Radek Vokál 2008-05-28 08:50:28 UTC
This is a correct consolehelper behavior. Consolehelper stores your password for
certain time, so all applications which requires root access can be started with
prompting for root pswd in this time frame. You can see the "shield" icon in
your taskbar. If you open it's menu, there's a "drop privilegies" option which
immediately forgets the root pswd. 

Comment 2 Ulrich Drepper 2008-05-28 15:37:53 UTC
I realize the this is what you expect for applications which *always* require
privileges.  It's definitely the correct behaviour for them.

But wireshark is special.  It does not always have to use privileges.  It only
needs privileges if you want to record data.  But if you replay data you
definitely do not want the privileges.  Already recorded data can be malformed
and perhaps be malicious.  It could be used to exploit a bug in wireshark and
with privileges the entire machine can be taken over.

I.e., programs which *optionally* in some situations need privileges should ask
the user on startup whether available privileges should be used or not. 
Anything else is a security problem.

Comment 3 Mark J. Cox 2008-05-30 10:34:24 UTC
I agree with Ulrich.  NVD set the severity of Wireshark issues to be moderate
and low because best practice is to not examine untrusted recorded packets as
root.  This interaction with consolehelper will mean we have to increase the
severity of Wireshark security issues (of which there are many and frequent). 
Is there some better way to deal with this (have it drop privileges again when
not needing the interface?)

Comment 4 Tomas Mraz 2008-06-02 13:42:54 UTC
The easiest way to fix this is to simply drop the pam_timestamp from wireshark
PAM configuration - that means with current Fedoras to copy
/etc/pam.d/config-util to /etc/pam.d/wireshark and remove all pam_timestamp.so
lines from there.

Comment 5 Tomas Hoger 2008-06-02 13:53:15 UTC
Thanks Tomas!

The proposed change will cause consolehelper to always require password before
launching wireshark, so the wireshark will not get started with root privileges
by accident.

pam.d/wireshark could possibly continue including config-util for account and
session, but will require auth specification without pam_timestamp.

For wireshark packages in Red Hat Enterprise Linux 2.1, 3 and 4, lines with
pam_timestamp.so should be removed from pam.d/wireshark.

Comment 6 Radek Vokál 2008-09-09 15:19:35 UTC
This is already fixed in Fedora. I'll include this fix into RHEL variants in next update.

Comment 9 errata-xmlrpc 2008-10-01 15:34:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.