Red Hat Bugzilla – Bug 850768
tshark with -w option fails if file does not exist
Last modified: 2016-05-31 21:31:13 EDT
Description of problem: tshark does not create a new file, if file specified with -w option does not exist, instead exits with tshark: The file to which the capture would be saved ("<file>") could not be opened: Permission denied. and returns 1 Version-Release number of selected component (if applicable): wireshark-1.6.8-1.el7.x86_64 How reproducible: always Steps to Reproduce: 1. tshark -i <interface> -w <file that does not yet exist> Expected results: File with the given name is created
dumpcap utility gives up root privileges too early, before opening the output file. I sent a patch upstream: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7672
I added a newer version of the patch to upstream bugzilla: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7672 Patch: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9797&action=diff&context=patch&collapsed=&headers=1&format=raw
I suspect that you're trying to create a file in /root, and /root has 550 permissions. That needs DAC override capabilities even with EUID=0, and we don't want to keep these (because they're strongly root-equivalent). Workaround is to use: # tshark -w - > /root/foo I think this should be closed with WONTFIX. In theory, it should be possible to use setresuid/setresgid to swap real and effective IDs, open the output file, swap them back (possibly regaining root privileges), and the continue as before (drop the unused capabilities etc.).