diff options
author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2014-04-13 17:06:00 +0200 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2014-04-22 21:33:11 +0200 |
commit | a70197a6536be79c2e9318332d9435e668954837 (patch) | |
tree | 70dcf0fc5085b2fd96ae69673d9236be8c446a9d /pkgs/applications/networking/sniffers/wireshark | |
parent | cbd4650a1ad143bca4b10bd49e93a39a2e1eee85 (diff) | |
download | nixlib-a70197a6536be79c2e9318332d9435e668954837.tar nixlib-a70197a6536be79c2e9318332d9435e668954837.tar.gz nixlib-a70197a6536be79c2e9318332d9435e668954837.tar.bz2 nixlib-a70197a6536be79c2e9318332d9435e668954837.tar.lz nixlib-a70197a6536be79c2e9318332d9435e668954837.tar.xz nixlib-a70197a6536be79c2e9318332d9435e668954837.tar.zst nixlib-a70197a6536be79c2e9318332d9435e668954837.zip |
wireshark: add patch to lookup "dumpcap" in PATH
What this allows us to do is define a "dumpcap" setuid wrapper in NixOS and have wireshark use that instead of the non-setuid dumpcap binary that it normally uses. As far as I can tell, the code that is changed to do lookup in PATH is only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's typically setuid, is not affected by this patch. wireshark and tshark should *not* be installed setuid, so the fact that they now do lookup in PATH is not a security concern. With this commit, and the following config, only "root" and users in the "wireshark" group will have access to capturing network traffic with wireshark/dumpcap: environment.systemPackages = [ pkgs.wireshark ]; security.setuidOwners = [ { program = "dumpcap"; owner = "root"; group = "wireshark"; setuid = true; setgid = false; permissions = "u+rx,g+x"; } ]; users.extraGroups.wireshark.gid = 500; (This wouldn't have worked before, because then wireshark would not use our setuid dumpcap binary.)
Diffstat (limited to 'pkgs/applications/networking/sniffers/wireshark')
-rw-r--r-- | pkgs/applications/networking/sniffers/wireshark/default.nix | 2 | ||||
-rw-r--r-- | pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch | 62 |
2 files changed, 64 insertions, 0 deletions
diff --git a/pkgs/applications/networking/sniffers/wireshark/default.nix b/pkgs/applications/networking/sniffers/wireshark/default.nix index ea12459a82ae..272bae14a12a 100644 --- a/pkgs/applications/networking/sniffers/wireshark/default.nix +++ b/pkgs/applications/networking/sniffers/wireshark/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation { geoip libnl c-ares gtk python libcap ]; + patches = [ ./wireshark-lookup-dumpcap-in-path.patch ]; + preConfigure = '' sed -re 's/g_memmove/memmove/' -i $(grep -rl g_memmove .) ''; diff --git a/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch new file mode 100644 index 000000000000..9c517cc0e421 --- /dev/null +++ b/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch @@ -0,0 +1,62 @@ +From 188e8858243b2278239261aaaaea7ad07476d561 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com> +Date: Sun, 13 Apr 2014 15:17:24 +0200 +Subject: [PATCH] Lookup dumpcap in PATH + +NixOS patch: Look for dumpcap in PATH first, because there may be a +dumpcap setuid-wrapper that we want to use instead of the default +non-setuid dumpcap binary. + +Also change execv() to execvp() because we've set argv[0] to "dumpcap" +and have to enable PATH lookup. Wireshark is not a setuid program, so +looking in PATH is not a security issue. +--- + capture_sync.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/capture_sync.c b/capture_sync.c +index eb05fae..efb5675 100644 +--- a/capture_sync.c ++++ b/capture_sync.c +@@ -326,8 +326,18 @@ init_pipe_args(int *argc) { + argv = (char **)g_malloc(sizeof (char *)); + *argv = NULL; + +- /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */ +- exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir); ++ /* ++ * NixOS patch: Look for dumpcap in PATH first, because there may be a ++ * dumpcap setuid-wrapper that we want to use instead of the default ++ * non-setuid dumpcap binary. ++ */ ++ if (system("command -v dumpcap >/dev/null") == 0) { ++ /* Found working dumpcap */ ++ exename = g_strdup_printf("dumpcap"); ++ } else { ++ /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */ ++ exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir); ++ } + + /* Make that the first argument in the argument list (argv[0]). */ + argv = sync_pipe_add_arg(argv, argc, exename); +@@ -649,7 +659,7 @@ sync_pipe_start(capture_options *capture_opts, capture_session *cap_session, voi + */ + dup2(sync_pipe[PIPE_WRITE], 2); + ws_close(sync_pipe[PIPE_READ]); +- execv(argv[0], argv); ++ execvp(argv[0], argv); + g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s", + argv[0], g_strerror(errno)); + sync_pipe_errmsg_to_parent(2, errmsg, ""); +@@ -879,7 +889,7 @@ sync_pipe_open_command(char** argv, int *data_read_fd, + dup2(sync_pipe[PIPE_WRITE], 2); + ws_close(sync_pipe[PIPE_READ]); + ws_close(sync_pipe[PIPE_WRITE]); +- execv(argv[0], argv); ++ execvp(argv[0], argv); + g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s", + argv[0], g_strerror(errno)); + sync_pipe_errmsg_to_parent(2, errmsg, ""); +-- +1.9.0 + |