[91258] trunk/dports/net/wireshark/Portfile

[Eric Hall]

On Wed, Mar 28, 2012 at 01:06:57AM +0200, Clemens Lang wrote:
> Hi,
> 
> On Tue, Mar 27, 2012 at 01:10:12PM -0700, ricci at macports.org wrote:
> > wireshark: remove potentially dangerous "notes"
> > 
> > -notes "To allow non-root users capturing packages, make sure your $prefix/bin/dumpcap is owned by root\
> > -    and give it the setuid-mode-bit: chmod +s $prefix/bin/dumpcap. Warning: Every user that is able\
> > -    to execute this program will be able to capture any traffic into, out of and bypassing your\
> > -    machine. Consider creating a group and only allowing users in this group to execute this binary."
> 
> (1) I have added the very same note to the wireshark-devel port. If it's
> removed in wireshark it should also be removed in wireshark-devel.
> 
> (2) Could you elaborate on why you consider a note (with an explicit
> warning) explaining what some distributions (e.g. Debian, Ubuntu, Arch
> Linux) provide semi-automatized dangerous? Also note the wireshark
> project actually lists this method [1] as one of the possibilities to
> allow running the wireshark GUI with the ability to capture packages
> [2].

	I too think that making a binary setuid is a dangerous practice,
and a note indicating to do so to people who have no clue what it means
is also a bad practice.

> 
> IMHO, if this note prevents any uninformed user from running wireshark
> as root it has done more good than evil and also provides a better user
> experience for people installing the wireshark port.

	Possibly.  I prefer the solution of altering the permissions
on /dev/bpf* to allow group read, and adding accounts to that group.
There's a ticket open to have this happen on reboot (via a launchd plist),
I have a partially improved version that allows only read (and not write)
that needs testing with various OS revs and then will get committed.
If you're interested in helping out with that, please let me know.



		-eric