From ca94db0c704878bf5e027ad849af4995fb849003 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Nov 26 2010 13:23:19 +0000 Subject: rework the Wireshark security: - remove the console helper - add new group 'wireshark' - allow only members of this group to capture the packets - remove unused/obsolete patches Resolves: 657490 --- diff --git a/wireshark-0.99.7-path.patch b/wireshark-0.99.7-path.patch deleted file mode 100644 index 3aa77c7..0000000 --- a/wireshark-0.99.7-path.patch +++ /dev/null @@ -1,16 +0,0 @@ -Nasty patch for consolehelper. Wireshark run from consolehelper in unprivileged -mode wrongly detects path as /usr/bin instead of /usr/sbin. Causes few strange -crashes in GUI. - -diff -up wireshark-0.99.7/capture_sync.c.old wireshark-0.99.7/capture_sync.c ---- wireshark-0.99.7/capture_sync.c.old 2007-12-18 02:16:14.000000000 +0100 -+++ wireshark-0.99.7/capture_sync.c 2007-12-19 13:50:17.000000000 +0100 -@@ -230,7 +230,7 @@ init_pipe_args(int *argc) { - *argv = NULL; - - /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */ -- exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir); -+ exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", "/usr/sbin"); - - /* Make that the first argument in the argument list (argv[0]). */ - argv = sync_pipe_add_arg(argv, argc, exename); diff --git a/wireshark-1.4.0-python.patch b/wireshark-1.4.0-python.patch deleted file mode 100644 index 38625b1..0000000 --- a/wireshark-1.4.0-python.patch +++ /dev/null @@ -1,13 +0,0 @@ -Fix simple syntax error in python scripts - -diff -up wireshark-1.4.0/epan/wspython/wspy_libws.py.orig wireshark-1.4.0/epan/wspython/wspy_libws.py ---- wireshark-1.4.0/epan/wspython/wspy_libws.py.orig 2010-08-30 00:17:30.000000000 +0200 -+++ wireshark-1.4.0/epan/wspython/wspy_libws.py 2010-08-31 17:37:54.905966497 +0200 -@@ -27,7 +27,6 @@ import platform - - __libwireshark = None - --/* XXX - We should probably return a full path here, at least on Windows. */ - def get_libws_libname(): - system = platform.system() - if system == "Darwin": diff --git a/wireshark.spec b/wireshark.spec index 5d082bf..30e8bd7 100644 --- a/wireshark.spec +++ b/wireshark.spec @@ -37,11 +37,10 @@ Source8: wiresharkdoc-48x48.png Source9: wiresharkdoc-256x256.png Patch1: wireshark-nfsv4-opts.patch -Patch2: wireshark-0.99.7-path.patch -Patch3: wireshark-1.2.4-enable_lua.patch -Patch4: wireshark-1.2.8-disable_warning_dialog.patch -Patch5: wireshark-libtool-pie.patch -Patch6: wireshark-1.4.0-doc-path.patch +Patch2: wireshark-1.2.4-enable_lua.patch +Patch3: wireshark-libtool-pie.patch +Patch4: wireshark-1.4.0-doc-path.patch +Patch5: wireshark-1.4.2-group-msg.patch Url: http://www.wireshark.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -112,15 +111,14 @@ and plugins. %setup -q -n %{name}-%{version} %endif %patch1 -p1 -%patch2 -p1 %if %{with_lua} -%patch3 -p1 -b .enable_lua +%patch2 -p1 -b .enable_lua %endif -%patch4 -p1 -b .dialog -%patch5 -p1 -%patch6 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 -b .group-msg %build %ifarch s390 s390x sparcv9 sparc64 @@ -176,10 +174,6 @@ make DESTDIR=$RPM_BUILD_ROOT install # install support files for usermode, gnome and kde mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/wireshark -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps -install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps/wireshark -mkdir -p $RPM_BUILD_ROOT/%{_bindir} -ln -s consolehelper $RPM_BUILD_ROOT/%{_bindir}/wireshark # Install python stuff. mkdir -p $RPM_BUILD_ROOT%{python_sitearch} @@ -245,6 +239,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la %clean rm -rf $RPM_BUILD_ROOT +%pre +getent group wireshark >/dev/null || groupadd wireshark + %post -p /sbin/ldconfig %postun -p /sbin/ldconfig @@ -274,7 +271,7 @@ fi %{_sbindir}/dftest %{_sbindir}/capinfos %{_sbindir}/randpkt -%{_sbindir}/dumpcap +%attr(0750, root, wireshark) %caps(cap_net_raw,cap_net_admin=eip) %{_sbindir}/dumpcap %{_sbindir}/rawshark %{python_sitearch}/*.py* %{_libdir}/lib*.so.* @@ -290,7 +287,6 @@ fi %{_mandir}/man1/dftest.* %{_mandir}/man1/randpkt.* %config(noreplace) %{_sysconfdir}/pam.d/wireshark -%config(noreplace) %{_sysconfdir}/security/console.apps/wireshark %{_datadir}/wireshark %if %{with_lua} %exclude %{_datadir}/wireshark/init.lua @@ -306,7 +302,6 @@ fi %{_datadir}/icons/gnome/48x48/mimetypes/application-x-pcap.png %{_datadir}/icons/gnome/256x256/mimetypes/application-x-pcap.png %{_datadir}/mime/packages/wireshark.xml -%{_bindir}/wireshark %{_sbindir}/wireshark %{_mandir}/man1/wireshark.* @@ -322,6 +317,10 @@ fi %{_sbindir}/idl2wrs %changelog +* Fri Nov 26 2010 Jan Safranek - 1.4.3-1 +- rework the Wireshark security (#657490). Remove the console helper and + allow only members of new 'wireshark' group to capture the packets. + * Mon Nov 22 2010 Jan Safranek - 1.4.2-1 - upgrade to 1.4.2 - see http://www.wireshark.org/docs/relnotes/wireshark-1.4.2.html