Why you should not run Wireshark as root

May 26, 2019, by Hugo Lefeuvre.

This simple question has been around for many years, and many answers have been provided. Some good, many less good. Despite this, I still feel confusion in the user community.

The official wiki provides a detailed answer. But it's long. This blog post is yet another attempt to make it short, and clear.

Code execution, and superuser

Code execution vulnerabilities allow attackers to execute code with the affected software's permissions.

If the software is run as superuser, the attacker becomes root on the machine right away. In other words, the system is fully compromised. If the software is run by a less privileged user, the attacker will need more steps to gain full control of the machine.

Code execution vulnerabilities are not the most common vulnerabilities, but they are not extremely rare either. As a consequence one should not run software as superuser without good reasons to do so.

This applies to Wireshark as well, because you should not need to be root to run it.

Now this is even more important in the Wireshark case because Wireshark is more prone to security vulnerabilities than the average desktop application:

Complexity, and attack surface

Wireshark is a packet analyzer. Mostly it listens to the network, captures packets and parses them.

It is important to understand that

Now all of this would still be true even if Wireshark was small. But Wireshark is huge (millions of lines of code, a thousand of protocols supported), making previous arguments even more significant.

Conclusion

Running software as root makes attackers' life easier. Software should not be run as root unless necessary, and Wireshark is not an exception.

This is even more important given Wireshark's vulnerability prone nature, as a C program parsing complex data directly from the network.