I don't think this is an error.

It's a notification that some wireshark (lua) features have been disabled
for security reasons, since you're running as root.

While a regular user cannot use wireshark to capture traffic, they can use
it to analyze a file, using features that are not available, when running
as root.

CC: (none) => davidwhodgins

(In reply to comment #1)
> I don't think this is an error.
> 
> It's a notification that some wireshark (lua) features have been disabled
> for security reasons, since you're running as root.
> 
> While a regular user cannot use wireshark to capture traffic, they can use
> it to analyze a file, using features that are not available, when running
> as root.

The error box is still cryptic and distracting. Also, why display it at startup instead of when the user actually tries to use such functionality?

Created attachment 700 [details]
Patch to stop "dofile" error message when running as root

My mistake.  Turns out the problem is the use of the dofile command
n the file, which invokes the function on line 45.

can someone submit this as update fix?

CC: (none) => maarten.vanraes

Assigning to maintainer now that our maintainer's database has an entry for
this package. Please assign back to bugsquad@mageia.org in case of a mistake
from me.

Keywords: (none) => PATCH
CC: (none) => stormi
Assignee: bugsquad => anssi.hannula

So actually we want to not display this (rather cryptic) message? Actually this is no real fix. Looking at http://wiki.wireshark.org/CaptureSetup/CapturePrivileges running wireshark itself via sudo or as root in general is disregarded, because the parts of wireshark which parse the captured data, run with root privileges.

We should rather do something like this: http://packetlife.net/blog/2010/mar/19/sniffing-wireshark-non-root-user/

So could we please have a concensus about this issue first?

Status: NEW => ASSIGNED

Or do we only want to change this and other messages to something more self-explanatory? What follows are the lua functions which are disabled, and after them the error message which is displayed in the dialog box:


-- disable potentialy harmful lua functions when running superuser
if running_superuser then
    local disabled_lib = {}
    setmetatable(disabled_lib,{ __index = function() error("this package has been disabled") end } );

    dofile = function() error("dofile has been disabled") end
    loadfile = function() error("loadfile has been disabled") end
    loadlib = function() error("loadlib has been disabled") end
    require = function() error("require has been disabled") end
    os = disabled_lib
    io = disabled_lib
    file = disabled_lib
end


We could maybe change the error message to something like:

error("Wireshark is running as root, this is dangerous. The lua function dofile has been disabled, because it is potentially harmful when running as root. ")

but, afaik you do need root access to actually capture...

Did you read the link i posted?
Especially the important part about "Enabling Non-root Capture" ?

I agree with comment 6.  Giving dumpcap the permission to access
the raw network interface traffic, and having wireshark run by
the regular user would be much safer than running wireshark as
root, with the lua functions disabled.

Especially as wireshark seems to often get security updates.

I still think attachment 700 [details] should be applied, so users who
do run wireshark as root won't get the error message.

(In reply to comment #10)
> I agree with comment 6.  Giving dumpcap the permission to access
> the raw network interface traffic, and having wireshark run by
> the regular user would be much safer than running wireshark as
> root, with the lua functions disabled.

OK, will look into it.


> 
> I still think attachment 700 [details] should be applied, so users who
> do run wireshark as root won't get the error message.

No, sorry. I can change the wording, but i won't remove the message altogether. If we do this, will we also remove the dialog box that wireshark runs as root and that is dangerous? Upstream safety straps as intended should stay in place.

The patch doesn't remove the warning about running as root.

What it does, is stop wireshark from trying to execute dofile("console.lua"),
when you are running as root.

Running dofile("console.lua") causes the message "dofile has been disabled"
to be displayed, and that's the error message this bug report was raised for.

(In reply to comment #9)
> Did you read the link i posted?
> Especially the important part about "Enabling Non-root Capture" ?

no, i did not :-(

perhaps the warning could be removed if the root warning message shows that scripts will be silently dropped?

No, as i understood the init.lua script, a message will be displayed when the corresponding funtion is called the first time.

Regarding to Comment 2 : dofile("console.lua") is called directly at the end of the file init.lua which is executed when wireshark runs.

Regarding to Comment 13: If we only display in the root warning message that scripts will be silently dropped users might not notice why some lua functions will silently not work, if they try to use one of those which were silently disabled.

As said, i'm against removing that message. What problem is there with clarifiying it through changing the displayed text like i already proposed:

"error(Wireshark is running as root, this is dangerous. The lua function dofile
has thus been disabled, because it is potentially harmful when running as root.)"

Actually when looking at https://bugs.mageia.org/show_bug.cgi?id=2974 and especially https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136 i'm even more confirmed to not remove this message.

Who knows what security problems the other lua functions might pose when called silently without a notice for the user?

Could we please find a concensus here so we can get this fixed?
I'm preparing a security update for wireshark and i want to include this.

What's the actual problem here? The user experience, because he sees a rather cryptic, but security-related message (look at comment 7 for context) which the user can't recognise from that message.

So the best fix IMHO is to improve that message to explain to the user, that because wireshark is running as root, which is potentially dangerous, some lua script has been disabled due to security reasons.

I would favor improving the error message too, without removing it. Maybe this can be contributed upstream too?

(In reply to comment #16)
> Actually when looking at https://bugs.mageia.org/show_bug.cgi?id=2974 and
> especially https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136 i'm even
> more confirmed to not remove this message.
> 
> Who knows what security problems the other lua functions might pose when called
> silently without a notice for the user?

Attachment 700 [details] does not remove the error message generated when an lua
function is executed.  It does not remove the warning about the danger
of running wireshark as root.

It stops the init.lua script from trying to execute the dofile lua function,
right after it has been disabled.

In my opinion, there are three steps that should be done.

Incorporate attachment 700 [details] so the dofile lua function does not try to get
invoked on startup, when running as root.

Alter the messages generated if the user does try to execute a lua function
as per comment 7.

Enable capturing network traffic while running wireshark as a regular user,
as per comment 6.

Ok, i'll try to incorporate attachment 700 [details] and will alter the error messages. For enabling non-root capture, this will have to be tested in cauldron first as this would be a pretty intrusive change for a bugfix/security update and needs some basic checking before or if being issued as an update for Mageia 1 IMHO.

I've tested wireshark-1.4.6-2.1.mga1.src.rpm on i586, and it looks good.

For testing, I deleted /root/.wireshark, and confirmed the warning about
the danger of running as root is still displayed.

After selecting the option not to display that warning message, restarting
wireshark no error message about dofile being disabled is displayed.

Checking /usr/share/wireshark/init.lua, the new wording in the error
messages if the user does try to run an lua script looks ok.  I'm
not sure how to get wireshark to run an lua script.

What about the 2 CVE's this update fixes? To hold the information together, do you want to validate this within this report? Doesn't appear sane to track the security party ofthe update in https://bugs.mageia.org/show_bug.cgi?id=2974 and the bugfix part of the same update here, no?

Will write an advisory for this update if you tell me where to put it.

Which CVE from bug 2974 has been incorporated in this update?  Can the
other two also be incorporated?

Look in the changelog :)
No, seriously, our wireshark package is only susceptible to 2 of those issues, for the other 2 the affected files are not there, cauldron wireshark is not affected at all.

For reference, quoting from the changelog:

- fixed CVE-2011-3360, untrusted search path vulnerability allowing local users
  to gain privileges via a Trojan horse Lua script in an unspecified directory
  (from upstream)
- fixed CVE-2011-3483, denial of service (application crash) via a malformed
  capture file that leads to an invalid root tvbuff, related to a
  buffer exception handling vulnerability (from upstream)

So you want to handle this here, then i'd post the full advisory here ...

We still need an x86-64 test of wireshark.

(In reply to comment #25)
> We still need an x86-64 test of wireshark.

assign to the QA

CC: (none) => doktor5000
Assignee: doktor5000 => qa-bugs

The i586 testing has been completed for the srpm
wireshark-1.4.6-2.1.mga1.src.rpm

Still need an x86-64 tester.  No proof of concepts for the
CVE fixes, just test that the error dialog about the dofile
lua script no longer appears when starting wireshark as root.

Advisory:

This security/bug fix update for wireshark prevents the wireshark
init.lua script from trying to execute the dofile lua script after
it has been disabled.  The messages generated when the root user
tries to execute a disabled lua script have been clarified.

CVE-2011-3360, untrusted search path vulnerability allowing local
users to gain privileges via a Trojan horse Lua script in an
unspecified directory has been corrected.

CVE-2011-3483, denial of service (application crash) via a malformed
capture file that leads to an invalid root tvbuff, related to a
buffer exception handling vulnerability has been corrected.

Testing complete x86_64

Update Validated

Sysadmin please push from core/updates_testing to core/updates with SRPM & Advisory from comment 27.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: x86_64 => All

Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED