Ethereal-dev: Re: [Ethereal-dev] Running Ethereal as an unprivileged user

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Urwin <richard@xxxxxxxxxxxxxxx>
Date: Thu, 11 Sep 2003 07:38:21 +0100
On Wednesday 10 Sep 2003 11:56 pm, Guy Harris wrote:
> On Sep 10, 2003, at 3:40 PM, Richard Urwin wrote:
> > Here is a C program that demonstrates using Linux (POSIX.1e)
> > capabilities to run as a normal user but keeping certain
> > privilages.
> >
> > It runs, as can be seen below, under a standard MDK9.1 kernel. In
> > fact it should work under any kernel from 2.2.19 onward.
>
> Yes, but is there some way of achieving this *without* adding code to
> the application?
>
> E.g., can a user be given the CAP_NET_RAW and CAP_NET_ADMIN
> capabilities (although I think CAP_NET_ADMIN gives capabilities not
> needed - too bad there's no
> CAP_NET_JUST_ENUMERATE_THE_DAMN_NETWORK_INTERFACES or something such
> as that; do you need CAP_NET_ADMIN to use "getifaddrs()" on those
> Linuxes that have it?), as part of the appropriate capability sets,
> in such a way that their login processes get them and either
>
> 	1) all programs
>
> or
>
> 	2) all programs with those capabilities
>
> get them in their "effective capabilities" set?

When capabilities are added to the filesystems then you will get that 
functionality. But there is a problem with ext 2 or 3, there are not 3 
32bit integers left in the inode, and people are saying "oops" and "oh 
dear" and "that's a bit of a problem then," and don't appear to be 
doing anything about it. This stuff has been available since 2.2.19, 
but nobody is touching it because it isn't seen to be there until 
filesystem support, and filesystem support is not happening any time 
soon.

>
> Your test program appears to be running with an effective UID of
> root; it'd be nice if Ethereal/Tethereal/tcpdump/etc. didn't have to
> be run with an effective UID of root at all (not even if they give it
> up as soon as they get the appropriate capabilities).

It would be nice, but it isn't going to happen this year, and probably 
not next year. Then we will get it for free.

> > I propose that we add this functionality into Ethereal, when built
> > on Linux, and when libcap and the kernel headers are available.
>
> Should it go there, or should it go in libpcap, so that *all* libpcap
> applications work that way?

I don't know if you can have setguid root shared libraries, but I think 
Ethereal is probably the best place. If you are going to run as root 
you want to discard capabilities and change user as soon as possible to 
reduce the window of oppertunity as much as possible. I wouldn't want 
to rely on a third party library to do it.

-- 
Richard Urwin