Is group priority available?

Question

[tjm@ArchPad bin]$ LANG=en [tjm@ArchPad bin]$ pwd /usr/bin [tjm@ArchPad bin]$ ll | grep wireshark -rwxr-x--- 1 root wireshark 88K Apr 25 00:22 dumpcap -rwxr-xr-x 1 root wireshark 2.0M Apr 25 00:23 wireshark-gtk [tjm@ArchPad bin]$ groups `whoami` wheel wireshark users [tjm@ArchPad bin]$

With command sudo -G wireshark wireshark-gtk, I can start wireshark-gtk and listen with out any problems.

But, if I simply run wireshark-gtk it says that :

Could not run /usr/bin/dumpcap in child process: Permission denied.

So, it is availible to set a group priority, which means that if I (the user) have a group id same as a file, and the file has been set group prority, I will run this file in this group id without sudo -G?

By the way, setgid is not what I want, for it is not safe and anyone can run this file with group privilege.

I still could not understand fully: do you want safer or easier solution? Setting file setgid which is executable only by wireshark group members looks much easier and does not require sudo usage. Try this: chmod 2710 /usr/bin/dumpcap. Maybe I just do not understand something. — , Apr 27 '16 at 16:48
I somehow managed to mess with setuid/setgid. Of course chmod 4710 /usr/bin/dumpcap. Time to sleep. — , Apr 27 '16 at 17:20

score 1 · Answer 1 · 2016-04-27T17:26:27.833

1

If you will set /usr/bin/dumpcap setuid without others but members of wireshark group being able to run it, then this setuid setting is safe. Then you just add yourself to wireshark group with usermod -aG wireshark $(whoami) and you're done.

To setuid it in this way, do chgrp wireshark /usr/bin/dumpcap; chmod 4710 /usr/bin/dumpcap

Btw sudo is not suitable for arbitrary permissions manipulation. Consider using modern tools for this purpose, if you still want not to use setuid on file.

edited Apr 27 '16 at 17:26

answered Apr 27 '16 at 16:22

I just consider that if I setgid to dumpcap, anyone can run dumpcap and listen my net interface, which make my computer unsafe. – TJM Apr 28 '16 at 06:48
How they could run dumpcap if it will be only available to members of wireshark group? Or you want to password protect it through sudo? – Apr 28 '16 at 06:56
Isn't setgid means anyone can run this file with the file's gid? Setgid does not mean only with same group can run this file. – TJM Apr 28 '16 at 07:00
To successfully enumerate network devices and capture packets, dumpcap needs not setgid, but setuid root to work. Also, binary can be setuid/setgid and only runnable by owner/group members of binary, if you will restrict others (chmod o-rwx) to run it. – Apr 28 '16 at 09:28

score 1 · Accepted Answer · answered Apr 27 '16 at 16:49

1

What does id say?

If you've just now added yourself to the wireshark group, I think you will need to log out and back in again.

(Point found by googling the error message).

answered Apr 27 '16 at 16:49

sourcejedi

50,249

I remember OS X id lied to me about current groups, taking information from db instead. OP's question is about Linux, but id output maybe not be always portable. – Apr 27 '16 at 16:52
@siblynx Weird. I went from the Linux manpage "id - print real and effective user and group IDs". Sounds like OS X is not POSIX compliant, despite being based on existing BSD code. http://pubs.opengroup.org/onlinepubs/9699919799/utilities/id.html – sourcejedi Apr 27 '16 at 17:21
1

Yes, exactly as I described. I remember this because I've lost a night trying to figure out why access was still denied. I blindly trusted id output without arguments. – Apr 27 '16 at 17:23
I reboot my Laptop and then it works! – TJM Apr 28 '16 at 06:58

score 0 · Answer 3 · edited Apr 13 '17 at 12:37

“Group priority” is not a common term. I think you mean the choice of group that is used for filesystem lookups. There is no such thing, or to put it another way, all groups have “group priority”: if a file belongs to a group (but not to your user), and you are in that group, then you get the group permissions, no matter whether the group is your primary group or a supplementary group.

If you are in the wireshark group, then you can run /usr/bin/dumpcap.

The output of ``groups whoami``` shows that your user account is in thewiresharkgroup, but it doesn't show that your *session* is in thewiresharkgroup. To test that, rungroupswith no arguments, orid`. Group membership is applied when you log in. If you've just added yourself to the group, you need to log out and back in. See I added a user to a group, but group permissions on files still have no effect

Is group priority available?

3 Answers3