Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

raw socket access as normal user on linux 2.4

Tags:

linux

sockets

raw-ethernet

In an embedded system (2.4 kernel) I need raw socket access to the eth0 interface from a process not running as root.

I tried to address this problem by setting the CAP_NET_RAW capability from the command line and programmatically using cap_set_proc(), both with no success. It seems that I do not have the permission to do so, in the program I get an EPERM error, on the command line

Failed to set cap's on process `1586': (Operation not permitted)

Is there an easier way to do what I want? If not, what steps are necessary to successfully set the CAP_NET_RAW capability?

EDIT: I have root access, but running the process permanently as root is no option. The version of libcap is 1.10, there is no 'setcap' binary, but a 'setpcaps'.

EDIT - answering George Skoptsov:

If I get you right, your suggestion is to start a process with setuid, then set the CAP_NET_RAW capability and then drop the privileges. I tried this with the following code, but it does not seem to work, even though the caps command do not return errors. With the seteuid() commented out, raw access works, but only since the process is running as root then:

cap_t caps = cap_get_proc();
cap_value_t cap_list[1];
cap_list[0] = CAP_NET_RAW;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1)
{
    printf("cap_set_flag error");
}
if (cap_set_proc(caps) == -1)
{
    printf("cap_set_proc error");
}

if (seteuid(getuid()) != 0) 
{
    printf("seteuid error");
}

function_that_needs_raw_access();

Thanks for your help. Chris

like image 713
Chris Avatar asked Mar 19 '12 14:03

Chris

1 Answers

Generally, you need root permissions to receive raw packets on an interface. This restriction is a security precaution, because a process that receives raw packets gains access to communications of all other processes and users using that interface.

However, if you have access to root on the machine, you can use the setuid flag to give your process root privileges even when the process is executed as a non-root user.

First, ensure that this capability is set successfully when the process is run as root. Then use 

sudo chown root process
sudo chmod ugo+s process

to set root as owner of the process and set the setuid flag. Then check that the capability is set when the process is run by other users. Because this process will now have all superuser privileges, you should observe security precautions, and drop the privileges as soon as your code no longer requires it (after enabling the CAP_NET_RAW).

You can follow this method to ensure you're dropping them properly.

like image 135
George Skoptsov Avatar answered Sep 22 '22 12:09

George Skoptsov
Sign in to Comment

Related questions

How to close or reset a pconnect() connection when using PHPRedis and PHP-FPM?
About the -ldl flag while compiling and linking C++ files
how to ar x filename.a to different directory
SSH Tunnel to Ngrok and Initiate RDP
Where are the stacks for the other threads located in a process virtual address space?
Android Studio 2.3.3 stucks when first run
Error: NVIDIA-SMI has failed because it couldn't communicate with the NVIDIA driver
Run a shell script from docker-compose command, inside the container
PostgreSQL on Elastic Beanstalk (Amazon Linux 2)
How to stop repeated keyPressed() / keyReleased() events in Swing
Performance profiling on Linux
How to get return value from CHILD PROCESS?
ldd shows varied addresses on x86 Linux
a.out replaced by ELF file format?
What time function do I need to use with pthread_cond_timedwait?
Resources for learning C, Unix, Linux and embedded systems [closed]
read not blocking on named pipe
Using grep to match md5 hashes
What is up with [A-Z] meaning [A-Za-z]?
Compiling error: cannot find -lGLU and -lGL in kubuntu linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!