[PATCH] gnu: wireshark: Lookup 'dumpcap' in PATH.

OpenSubmitted by Brice Waegeneire.
Details
2 participants
  • Brice Waegeneire
  • Mathieu Othacehe
Owner
unassigned
Severity
normal
Blocked by
B
B
Brice Waegeneire wrote on 15 Jun 2020 18:18
(address . guix-patches@gnu.org)
20200615161841.24337-1-brice@waegenei.re
* gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch: New file* gnu/local.mk: … add it …* gnu/packages/networking.scm (wireshark)[origin]: … use it.---
Together with https://issues.guix.info/41763this patch allow to use wiresharkas a non-root user be adding the following to your “oeprating-system-services“field:
Toggle snippet (7 lines)(simple-service 'wireshark-group account-service-type (list (user-group (name "wireshark") (system? #t))))(simple-service 'wireshark-dumpcap setuid-program-service-type (list (list (file-append wireshark "/bin/dumpcap") "root" "wireshark")))
Such feature was asked on the mailing list years ago[0].
[0]: https://lists.gnu.org/archive/html/help-guix/2016-11/msg00043.html
gnu/local.mk | 1 + gnu/packages/networking.scm | 1 + .../wireshark-lookup-dumpcap-in-path.patch | 66 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
Toggle diff (98 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 79bdfe9be8..3b07aa248c 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1595,6 +1595,7 @@ dist_patch_DATA = \ %D%/packages/patches/wicd-get-selected-profile-fix.patch \ %D%/packages/patches/wicd-urwid-1.3.patch \ %D%/packages/patches/wicd-wpa2-ttls.patch \+ %D%/packages/patches/wireshark-lookup-dumpcap-in-path.patch \ %D%/packages/patches/wmctrl-64-fix.patch \ %D%/packages/patches/wmfire-update-for-new-gdk-versions.patch \ %D%/packages/patches/wordnet-CVE-2008-2149.patch \diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scmindex e8f398e521..216e5072a4 100644--- a/gnu/packages/networking.scm+++ b/gnu/packages/networking.scm@@ -873,6 +873,7 @@ of the same name.") (method url-fetch) (uri (string-append "https://www.wireshark.org/download/src/wireshark-" version ".tar.xz"))+ (patches (search-patches "wireshark-lookup-dumpcap-in-path.patch")) (sha256 (base32 "1amqgn94g6h6cfnsccm2zb4c73pfv1qmzi1i6h1hnbcyhhg4czfi")))) (build-system cmake-build-system)diff --git a/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patchnew file mode 100644index 0000000000..4c000c23a1--- /dev/null+++ b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch@@ -0,0 +1,66 @@+Taken from Nixpkgs:+<https://github.com/NixOS/nixpkgs/blob/aa060ababf1490e8b39a6122d42112ea958f39cf/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch>++From 5bef9deeff8a2e4401de0f45c9701cd6f98f29d8 Mon Sep 17 00:00:00 2001+From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>+Date: Thu, 26 Nov 2015 21:03:35 +0100+Subject: [PATCH] Lookup dumpcap in PATH++NixOS patch: Look for dumpcap in PATH first, because there may be a+dumpcap wrapper that we want to use instead of the default+non-setuid dumpcap binary.++Also change execv() to execvp() because we've set argv[0] to "dumpcap"+and have to enable PATH lookup. Wireshark is not a setuid program, so+looking in PATH is not a security issue.++Signed-off-by: Franz Pletz <fpletz@fnordicwalking.de>+---+ capchild/capture_sync.c | 17 ++++++++++++++---+ 1 file changed, 14 insertions(+), 3 deletions(-)++diff --git a/capchild/capture_sync.c b/capchild/capture_sync.c+index 970688e..49914d5 100644+--- a/capchild/capture_sync.c++++ b/capchild/capture_sync.c+@@ -332,7 +332,18 @@ init_pipe_args(int *argc) {+ #ifdef _WIN32+ exename = g_strdup_printf("%s\\dumpcap.exe", progfile_dir);+ #else+- exename = g_strdup_printf("%s/dumpcap", progfile_dir);++ /*++ * NixOS patch: Look for dumpcap in PATH first, because there may be a++ * dumpcap wrapper that we want to use instead of the default++ * non-setuid dumpcap binary.++ */++ if (system("command -v dumpcap >/dev/null") == 0) {++ /* Found working dumpcap */++ exename = g_strdup_printf("dumpcap");++ } else {++ /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */++ exename = g_strdup_printf("%s/dumpcap", progfile_dir);++ }+ #endif+ + /* Make that the first argument in the argument list (argv[0]). */+@@ -729,7 +740,7 @@ sync_pipe_start(capture_options *capture_opts, capture_session *cap_session, voi+ */+ dup2(sync_pipe[PIPE_WRITE], 2);+ ws_close(sync_pipe[PIPE_READ]);+- execv(argv[0], argv);++ execvp(argv[0], argv);+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",+ argv[0], g_strerror(errno));+ sync_pipe_errmsg_to_parent(2, errmsg, "");+@@ -997,7 +1008,7 @@ sync_pipe_open_command(char** argv, int *data_read_fd,+ dup2(sync_pipe[PIPE_WRITE], 2);+ ws_close(sync_pipe[PIPE_READ]);+ ws_close(sync_pipe[PIPE_WRITE]);+- execv(argv[0], argv);++ execvp(argv[0], argv);+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",+ argv[0], g_strerror(errno));+ sync_pipe_errmsg_to_parent(2, errmsg, "");+-- +2.6.3+-- 2.26.2
M
M
Mathieu Othacehe wrote on 5 Jul 2020 11:57
(name . Brice Waegeneire)(address . brice@waegenei.re)(address . 41874@debbugs.gnu.org)
87sge6i8rg.fsf@gnu.org
Hello Brice,
Toggle quote (10 lines)> Together with https://issues.guix.info/41763this patch allow to use wireshark> as a non-root user be adding the following to your “oeprating-system-services“> field:>> (simple-service 'wireshark-group account-service-type> (list (user-group (name "wireshark") (system? #t))))> (simple-service 'wireshark-dumpcap setuid-program-service-type> (list (list (file-append wireshark "/bin/dumpcap")> "root" "wireshark")))
When this mechanism will be pushed, we could maybe update wiresharkpackage description to refer to this "trick". In the meantime your patchlooks good to me.
Thanks,
Mathieu
B
B
Brice Waegeneire wrote on 5 Jul 2020 13:47
Block #41874
(address . control@debbugs.gnu.org)
9667f027e8609b9f83d0d2a6773bb8de@waegenei.re
block 41874 with 41763
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 41874@debbugs.gnu.org