rework the Wireshark security:

- remove the console helper - add new group 'wireshark' - allow only members of this group to capture the packets - remove unused/obsolete patches Resolves: 657490
2010-11-26 14:23:19 +01:00 · 2010-11-26 14:23:19 +01:00 · ca94db0c70
commit ca94db0c70
parent 1deae9bdc7
3 changed files with 16 additions and 46 deletions
--- a/wireshark-0.99.7-path.patch
+++ b/wireshark-0.99.7-path.patch
@ -1,16 +0,0 @@
-Nasty patch for consolehelper. Wireshark run from consolehelper in unprivileged
-mode wrongly detects path as /usr/bin instead of /usr/sbin. Causes few strange 
-crashes in GUI. 
-
-diff -up wireshark-0.99.7/capture_sync.c.old wireshark-0.99.7/capture_sync.c
--- wireshark-0.99.7/capture_sync.c.old	2007-12-18 02:16:14.000000000 +0100
-+++ wireshark-0.99.7/capture_sync.c	2007-12-19 13:50:17.000000000 +0100
-@@ -230,7 +230,7 @@ init_pipe_args(int *argc) {
-     *argv = NULL;
- 
-     /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
-    exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", progfile_dir);
-+    exename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "dumpcap", "/usr/sbin");
- 
-     /* Make that the first argument in the argument list (argv[0]). */
-     argv = sync_pipe_add_arg(argv, argc, exename);
--- a/wireshark-1.4.0-python.patch
+++ b/wireshark-1.4.0-python.patch
@ -1,13 +0,0 @@
-Fix simple syntax error in python scripts
-
-diff -up wireshark-1.4.0/epan/wspython/wspy_libws.py.orig wireshark-1.4.0/epan/wspython/wspy_libws.py
--- wireshark-1.4.0/epan/wspython/wspy_libws.py.orig	2010-08-30 00:17:30.000000000 +0200
-+++ wireshark-1.4.0/epan/wspython/wspy_libws.py	2010-08-31 17:37:54.905966497 +0200
-@@ -27,7 +27,6 @@ import platform
- 
- __libwireshark = None
- 
-/* XXX - We should probably return a full path here, at least on Windows. */
- def get_libws_libname():
-   system = platform.system()
-   if system == "Darwin":
--- a/wireshark.spec
+++ b/wireshark.spec
@ -37,11 +37,10 @@ Source8:	wiresharkdoc-48x48.png
 Source9:	wiresharkdoc-256x256.png

 Patch1:		wireshark-nfsv4-opts.patch
-Patch2:		wireshark-0.99.7-path.patch
-Patch3:		wireshark-1.2.4-enable_lua.patch
-Patch4:		wireshark-1.2.8-disable_warning_dialog.patch
-Patch5:		wireshark-libtool-pie.patch
-Patch6:		wireshark-1.4.0-doc-path.patch
+Patch2:		wireshark-1.2.4-enable_lua.patch
+Patch3:		wireshark-libtool-pie.patch
+Patch4:		wireshark-1.4.0-doc-path.patch
+Patch5:		wireshark-1.4.2-group-msg.patch

 Url:		http://www.wireshark.org/
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -112,15 +111,14 @@ and plugins.
 %setup -q -n %{name}-%{version}
 %endif
 %patch1 -p1 
-%patch2 -p1

 %if %{with_lua}
-%patch3 -p1 -b .enable_lua
+%patch2 -p1 -b .enable_lua
 %endif

-%patch4 -p1 -b .dialog
-%patch5 -p1
-%patch6 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1 -b .group-msg

 %build
 %ifarch s390 s390x sparcv9 sparc64
@ -176,10 +174,6 @@ make DESTDIR=$RPM_BUILD_ROOT install
 # install support files for usermode, gnome and kde
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d
 install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d/wireshark
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/security/console.apps/wireshark
-mkdir -p $RPM_BUILD_ROOT/%{_bindir}
-ln -s consolehelper $RPM_BUILD_ROOT/%{_bindir}/wireshark

 # Install python stuff.
 mkdir -p $RPM_BUILD_ROOT%{python_sitearch}
@ -245,6 +239,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
 %clean
 rm -rf $RPM_BUILD_ROOT

+%pre
+getent group wireshark >/dev/null || groupadd wireshark
+
 %post -p /sbin/ldconfig

 %postun -p /sbin/ldconfig
@ -274,7 +271,7 @@ fi
 %{_sbindir}/dftest
 %{_sbindir}/capinfos
 %{_sbindir}/randpkt
-%{_sbindir}/dumpcap
+%attr(0750, root, wireshark) %caps(cap_net_raw,cap_net_admin=eip) %{_sbindir}/dumpcap
 %{_sbindir}/rawshark
 %{python_sitearch}/*.py*
 %{_libdir}/lib*.so.*
@ -290,7 +287,6 @@ fi
 %{_mandir}/man1/dftest.*
 %{_mandir}/man1/randpkt.*
 %config(noreplace) %{_sysconfdir}/pam.d/wireshark
-%config(noreplace) %{_sysconfdir}/security/console.apps/wireshark
 %{_datadir}/wireshark
 %if %{with_lua}
 %exclude %{_datadir}/wireshark/init.lua
@ -306,7 +302,6 @@ fi
 %{_datadir}/icons/gnome/48x48/mimetypes/application-x-pcap.png
 %{_datadir}/icons/gnome/256x256/mimetypes/application-x-pcap.png
 %{_datadir}/mime/packages/wireshark.xml
-%{_bindir}/wireshark
 %{_sbindir}/wireshark
 %{_mandir}/man1/wireshark.*

@ -322,6 +317,10 @@ fi
 %{_sbindir}/idl2wrs

 %changelog
+* Fri Nov 26 2010 Jan Safranek <jsafrane@redhat.com> - 1.4.3-1
+- rework the Wireshark security (#657490). Remove the console helper and
+  allow only members of new 'wireshark' group to capture the packets.
+
 * Mon Nov 22 2010 Jan Safranek <jsafrane@redhat.com> - 1.4.2-1
 - upgrade to 1.4.2
 - see http://www.wireshark.org/docs/relnotes/wireshark-1.4.2.html