Brice Waegeneire <brice@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at 41874) by debbugs.gnu.org; 5 Jul 2020 09:58:12 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jul 05 05:58:12 2020 Received: from localhost ([127.0.0.1]:60058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1js1PX-0001yr-Vz for submit <at> debbugs.gnu.org; Sun, 05 Jul 2020 05:58:12 -0400 Received: from eggs.gnu.org ([209.51.188.92]:59224) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <othacehe@HIDDEN>) id 1js1PW-0001yf-N5 for 41874 <at> debbugs.gnu.org; Sun, 05 Jul 2020 05:58:11 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59482) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from <othacehe@HIDDEN>) id 1js1PQ-0003h0-0s; Sun, 05 Jul 2020 05:58:04 -0400 Received: from [2a01:e0a:fa:a50:84fd:6270:81db:82dd] (port=54962 helo=meru) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from <othacehe@HIDDEN>) id 1js1PO-0001i5-Sc; Sun, 05 Jul 2020 05:58:03 -0400 From: Mathieu Othacehe <othacehe@HIDDEN> To: Brice Waegeneire <brice@HIDDEN> Subject: Re: [bug#41874] [PATCH] gnu: wireshark: Lookup 'dumpcap' in PATH. References: <20200615161841.24337-1-brice@HIDDEN> Date: Sun, 05 Jul 2020 11:57:55 +0200 In-Reply-To: <20200615161841.24337-1-brice@HIDDEN> (Brice Waegeneire's message of "Mon, 15 Jun 2020 18:18:41 +0200") Message-ID: <87sge6i8rg.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 41874 Cc: 41874 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hello Brice, > Together with https://issues.guix.info/41763 this patch allow to use wire= shark > as a non-root user be adding the following to your =E2=80=9Coeprating-sys= tem-services=E2=80=9C > field: > > (simple-service 'wireshark-group account-service-type > (list (user-group (name "wireshark") (system? #t)))) > (simple-service 'wireshark-dumpcap setuid-program-service-type > (list (list (file-append wireshark "/bin/dumpcap") > "root" "wireshark"))) When this mechanism will be pushed, we could maybe update wireshark package description to refer to this "trick". In the meantime your patch looks good to me. Thanks, Mathieu
guix-patches@HIDDEN:bug#41874; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 15 Jun 2020 16:19:16 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 15 12:19:16 2020
Received: from localhost ([127.0.0.1]:47271 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1jkrpI-0000gi-HI
for submit <at> debbugs.gnu.org; Mon, 15 Jun 2020 12:19:16 -0400
Received: from lists.gnu.org ([209.51.188.17]:50276)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <brice@HIDDEN>) id 1jkrpD-0000gX-Ow
for submit <at> debbugs.gnu.org; Mon, 15 Jun 2020 12:19:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53036)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1jkrpD-00089M-Ip
for guix-patches@HIDDEN; Mon, 15 Jun 2020 12:19:07 -0400
Received: from relay12.mail.gandi.net ([217.70.178.232]:34791)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1jkrp8-0004Gh-NU
for guix-patches@HIDDEN; Mon, 15 Jun 2020 12:19:07 -0400
Received: from localhost (luy13-1-78-237-113-178.fbx.proxad.net
[78.237.113.178]) (Authenticated sender: brice@HIDDEN)
by relay12.mail.gandi.net (Postfix) with ESMTPSA id 5F308200002
for <guix-patches@HIDDEN>; Mon, 15 Jun 2020 16:18:56 +0000 (UTC)
From: Brice Waegeneire <brice@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] gnu: wireshark: Lookup 'dumpcap' in PATH.
Date: Mon, 15 Jun 2020 18:18:41 +0200
Message-Id: <20200615161841.24337-1-brice@HIDDEN>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=217.70.178.232; envelope-from=brice@HIDDEN;
helo=relay12.mail.gandi.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/15 12:18:57
X-ACL-Warn: Detected OS = Linux 3.11 and newer
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-Spam-Score: -1.6 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.6 (--)
* gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch: New file
…
* gnu/local.mk: … add it …
* gnu/packages/networking.scm (wireshark)[origin]: … use it.
---
Together with https://issues.guix.info/41763 this patch allow to use wireshark
as a non-root user be adding the following to your “oeprating-system-services“
field:
--8<---------------cut here---------------start------------->8---
(simple-service 'wireshark-group account-service-type
(list (user-group (name "wireshark") (system? #t))))
(simple-service 'wireshark-dumpcap setuid-program-service-type
(list (list (file-append wireshark "/bin/dumpcap")
"root" "wireshark")))
--8<---------------cut here---------------end--------------->8---
Such feature was asked on the mailing list years ago[0].
[0]: https://lists.gnu.org/archive/html/help-guix/2016-11/msg00043.html
gnu/local.mk | 1 +
gnu/packages/networking.scm | 1 +
.../wireshark-lookup-dumpcap-in-path.patch | 66 +++++++++++++++++++
3 files changed, 68 insertions(+)
create mode 100644 gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 79bdfe9be8..3b07aa248c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1595,6 +1595,7 @@ dist_patch_DATA = \
%D%/packages/patches/wicd-get-selected-profile-fix.patch \
%D%/packages/patches/wicd-urwid-1.3.patch \
%D%/packages/patches/wicd-wpa2-ttls.patch \
+ %D%/packages/patches/wireshark-lookup-dumpcap-in-path.patch \
%D%/packages/patches/wmctrl-64-fix.patch \
%D%/packages/patches/wmfire-update-for-new-gdk-versions.patch \
%D%/packages/patches/wordnet-CVE-2008-2149.patch \
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index e8f398e521..216e5072a4 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -873,6 +873,7 @@ of the same name.")
(method url-fetch)
(uri (string-append "https://www.wireshark.org/download/src/wireshark-"
version ".tar.xz"))
+ (patches (search-patches "wireshark-lookup-dumpcap-in-path.patch"))
(sha256
(base32 "1amqgn94g6h6cfnsccm2zb4c73pfv1qmzi1i6h1hnbcyhhg4czfi"))))
(build-system cmake-build-system)
diff --git a/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
new file mode 100644
index 0000000000..4c000c23a1
--- /dev/null
+++ b/gnu/packages/patches/wireshark-lookup-dumpcap-in-path.patch
@@ -0,0 +1,66 @@
+Taken from Nixpkgs:
+<https://github.com/NixOS/nixpkgs/blob/aa060ababf1490e8b39a6122d42112ea958f39cf/pkgs/applications/networking/sniffers/wireshark/wireshark-lookup-dumpcap-in-path.patch>
+
+From 5bef9deeff8a2e4401de0f45c9701cd6f98f29d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@HIDDEN>
+Date: Thu, 26 Nov 2015 21:03:35 +0100
+Subject: [PATCH] Lookup dumpcap in PATH
+
+NixOS patch: Look for dumpcap in PATH first, because there may be a
+dumpcap wrapper that we want to use instead of the default
+non-setuid dumpcap binary.
+
+Also change execv() to execvp() because we've set argv[0] to "dumpcap"
+and have to enable PATH lookup. Wireshark is not a setuid program, so
+looking in PATH is not a security issue.
+
+Signed-off-by: Franz Pletz <fpletz@HIDDEN>
+---
+ capchild/capture_sync.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/capchild/capture_sync.c b/capchild/capture_sync.c
+index 970688e..49914d5 100644
+--- a/capchild/capture_sync.c
++++ b/capchild/capture_sync.c
+@@ -332,7 +332,18 @@ init_pipe_args(int *argc) {
+ #ifdef _WIN32
+ exename = g_strdup_printf("%s\\dumpcap.exe", progfile_dir);
+ #else
+- exename = g_strdup_printf("%s/dumpcap", progfile_dir);
++ /*
++ * NixOS patch: Look for dumpcap in PATH first, because there may be a
++ * dumpcap wrapper that we want to use instead of the default
++ * non-setuid dumpcap binary.
++ */
++ if (system("command -v dumpcap >/dev/null") == 0) {
++ /* Found working dumpcap */
++ exename = g_strdup_printf("dumpcap");
++ } else {
++ /* take Wireshark's absolute program path and replace "Wireshark" with "dumpcap" */
++ exename = g_strdup_printf("%s/dumpcap", progfile_dir);
++ }
+ #endif
+
+ /* Make that the first argument in the argument list (argv[0]). */
+@@ -729,7 +740,7 @@ sync_pipe_start(capture_options *capture_opts, capture_session *cap_session, voi
+ */
+ dup2(sync_pipe[PIPE_WRITE], 2);
+ ws_close(sync_pipe[PIPE_READ]);
+- execv(argv[0], argv);
++ execvp(argv[0], argv);
+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
+ argv[0], g_strerror(errno));
+ sync_pipe_errmsg_to_parent(2, errmsg, "");
+@@ -997,7 +1008,7 @@ sync_pipe_open_command(char** argv, int *data_read_fd,
+ dup2(sync_pipe[PIPE_WRITE], 2);
+ ws_close(sync_pipe[PIPE_READ]);
+ ws_close(sync_pipe[PIPE_WRITE]);
+- execv(argv[0], argv);
++ execvp(argv[0], argv);
+ g_snprintf(errmsg, sizeof errmsg, "Couldn't run %s in child process: %s",
+ argv[0], g_strerror(errno));
+ sync_pipe_errmsg_to_parent(2, errmsg, "");
+--
+2.6.3
+
--
2.26.2
Brice Waegeneire <brice@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#41874; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.