Red Hat Bugzilla – Bug 850768
tshark with -w option fails if file does not exist
Last modified: 2016-05-31 21:31:13 EDT
Description of problem:
tshark does not create a new file, if file specified with -w option does not exist, instead exits with
tshark: The file to which the capture would be saved ("<file>") could not be opened: Permission denied.
and returns 1
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. tshark -i <interface> -w <file that does not yet exist>
File with the given name is created
dumpcap utility gives up root privileges too early, before opening the output file. I sent a patch upstream: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7672
I added a newer version of the patch to upstream bugzilla: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7672
I suspect that you're trying to create a file in /root, and /root has 550 permissions. That needs DAC override capabilities even with EUID=0, and we don't want to keep these (because they're strongly root-equivalent).
Workaround is to use:
# tshark -w - > /root/foo
I think this should be closed with WONTFIX.
In theory, it should be possible to use setresuid/setresgid to swap real and effective IDs, open the output file, swap them back (possibly regaining root privileges), and the continue as before (drop the unused capabilities etc.).