In an embedded system (2.4 kernel) I need raw socket access to the eth0 interface from a process not running as root.
I tried to address this problem by setting the CAP_NET_RAW capability from the command line and programmatically using cap_set_proc(), both with no success. It seems that I do not have the permission to do so, in the program I get an EPERM error, on the command line
Failed to set cap's on process `1586': (Operation not permitted)
Is there an easier way to do what I want? If not, what steps are necessary to successfully set the CAP_NET_RAW capability?
EDIT: I have root access, but running the process permanently as root is no option. The version of libcap is 1.10, there is no 'setcap' binary, but a 'setpcaps'.
EDIT - answering George Skoptsov:
If I get you right, your suggestion is to start a process with setuid, then set the CAP_NET_RAW capability and then drop the privileges. I tried this with the following code, but it does not seem to work, even though the caps command do not return errors. With the seteuid() commented out, raw access works, but only since the process is running as root then:
cap_t caps = cap_get_proc();
cap_value_t cap_list[1];
cap_list[0] = CAP_NET_RAW;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1)
{
printf("cap_set_flag error");
}
if (cap_set_proc(caps) == -1)
{
printf("cap_set_proc error");
}
if (seteuid(getuid()) != 0)
{
printf("seteuid error");
}
function_that_needs_raw_access();
Thanks for your help.
Chris
Generally, you need root permissions to receive raw packets on an interface. This restriction is a security precaution, because a process that receives raw packets gains access to communications of all other processes and users using that interface.
However, if you have access to root on the machine, you can use the setuid flag to give your process root privileges even when the process is executed as a non-root user.
First, ensure that this capability is set successfully when the process is run as root. Then use
sudo chown root process
sudo chmod ugo+s process
to set root as owner of the process and set the setuid flag. Then check that the capability is set when the process is run by other users. Because this process will now have all superuser privileges, you should observe security precautions, and drop the privileges as soon as your code no longer requires it (after enabling the CAP_NET_RAW).
You can follow this method to ensure you're dropping them properly.
You can give an executable program the ability to use the CAP_NET_RAW privilege without giving it other root privileges.
$ setcap cap_net_raw=pe *program*
You cannot give this privilege without having this privilege. Certainly root can give this privilege to programs.
The process must be run as root, or have the CAP_NET_RAW capabilities on the executable.
In order to set CAP_NET_RAW, you need to run the setcap command as root. Once set, you can run the executable as another user, and it'll have access to raw packet capturing.
If you do not have root access in anyway, nor can get anyone with root access to set CAP_NET_RAW or setuid root on the executable, you'll not be able to do packet capturing as a non-root user.
TL;DR IMHO not supported in kernel < 3.0.
There was a discussion about supporting it in kernel netdev mailing list:
https://lwn.net/Articles/420800/ and https://lwn.net/Articles/420801/.
And included it in commit
c319b4d76b9e583a5d88d6bf190e079c4e43213d, released in kernel 3.0:
commit c319b4d76b9e583a5d88d6bf190e079c4e43213d
Author: Vasiliy Kulikov <segoon#openwall.com>
Date: Fri May 13 10:01:00 2011 +0000
net: ipv4: add IPPROTO_ICMP socket kind
Follows: v2.6.39-rc2
Precedes: v3.0-rc1
Running ping without CAP_NET_RAW (i.e. without setting capabilities or without set-uid) was implemented for ping in revision 87dbb3a5db657d5eae6934707beaf0507980a1c3, released in iputils s20150815:
commit 87dbb3a5db657d5eae6934707beaf0507980a1c3
Author: Nikos Mavrogiannopoulos <nmav#redhat.com>
Date: Fri May 29 11:01:00 2015 +0200
This patch allows running ping and ping6 without root privileges on
kernels that support it. Almost identical to Lorenzo
Colitti's original patch except:
...
Follows: s20140519
Precedes: s20150815
Related
I am trying to make a chroot'ed, sandboxed build-environement, which creates itself from a Git checkout before proceeding with building the application. One of the requirements is that the developers doing the git checkout and invoking the build should not need admin privileges on the host machine.
unshare -r chroot
works fine - except there is no /proc which again means a lot of standeard stuff wont work.
Various methods to create /proc I have found with mount require sudo rights.
Docker does this but the developers have to be in the "docker" group which effectively gives them uncontrolled root access - then rather give them sudo rights.
I have found the "proot" which does some kind of emulation to do this. This, however, has some performance penalties.
You also need a mount namespace which will give you the ability to perform recursive bind mounts (and plain bind mount where there are no child mounts). pivot_root and the ability to mount tmpfs, so use unshare -rm.
With a pid namesapce you can also mount fresh instances of procfs.
I ended up using bubblewrap (bwrap). For a few things using ttys, I had to let it run with pseudo uid 0 to work.
If I should do it now I would use podman I think.
Agenda: To have an common Project Folder between Linux and Windows
I have changed my document root from : /var/www/html to /media/mithun/Projects/test in my ubuntu machine 14.04
I get error as :
Forbidden
You don't have permission to access / on this server.
Apache/2.4.7 (Ubuntu) Server at localhost Port 80
So i added some scripts to : sudo gedit /etc/apache2/sites-available/000-default.conf
# DocumentRoot /var/www/html
DocumentRoot /media/mithun/Projects/test
But Document Root /var/www/test works but not with Windows NTFS Partition Drive.
Even after referring to :
Error message "Forbidden You don't have permission to access / on this server"
Issue with my Ubuntu Apache Conf file. (Forbidden You don't have permission to access / on this server.)
No success :( So kindly assist me with it...
Note: Projects is an New Volume (Internal Drive: In Windows its E:/ Drive)
#Lmwangi - Please check my updates for your reference below:
Output of : ls /etc/apparmor.d/
abstractions lightdm-guest-session usr.bin.evince usr.sbin.cupsd
cache local usr.bin.firefox usr.sbin.mysqld
disable sbin.dhclient usr.lib.telepathy usr.sbin.rsyslogd
force-complain tunables usr.sbin.cups-browsed usr.sbin.tcpdump
I tried killing apparmor:
sudo /etc/init.d/apparmor kill
I receive output as : Usage: /etc/init.d/apparmor
{start|stop|restart|reload|force-reload|status|recache}
After this, i was also able to restart apache successfully
maybe the problem is simple : is your new root directory accessible to the www-data user ?
Try :
$ chown -R www-data:www-data /media/mithun/Projects
As you have you have discovered by now, you cannot just manipulate permissions on an NTFS partition (using tools like chmod)
However, you can try forcing a given owner/permissions for the entire partition when you mount it.
Now the wayto do this, depends on the NTFS-utilities you are actually using (and which i don't know, so I'm assuming you are using ntfs-3g)
E.g. mount the partition with the following parameters (replace dev/sdX with your actual partition, and /path/to/wheredrive/is/mounted` with your target path):
mount -o gid=www-data /dev/sdX /path/where/the/drive/is/mounted
should make all the files on the partition belong to the www-data group.
If the filesystem sets the group ownership explicitely, this still might not work.
In this case, you might need to setup a usermap, that maps your windows users/groups (as found on the partition) to your linux users/groups.
The ntfs-3g.usermap utility will help you generate an initial usermap file, which you can then edit to your needs:
ntfs-3g.usermap /dev/sdX
Then pass the usermap to the mount options:
mount -o usermapping=/path/to/usermap.file /dev/sdX /path/where/the/drive/is/mounted
I suspect that you have apparmor enforcing rules that prevent Apache from reading non-whitelisted directory paths. I suggest that you
Edit the apparmor config for Apache to access your custom path. You'll need to hunt around /etc/apparmor.d/ . You may also find that using apparmor in non-enforcing mode helpful.
$ sudo aa-complain /etc/apparmor.d/*
Use mod_apparmor? See this
Or disable apparmor completely. See this
My order of preference would be 1,3,2. That should fix this for you :)
While using ubuntu with windows I faced same issue and it is resolved by remounting drive with read and write access. Below command will help you to do that:
sudo mount -o remount,rw /disk/location /disk/new_location
If it is still not working then in windows os, go to the power options and disable fast startup.
When you shut down a computer with Fast Startup enabled, Windows locks down the Windows hard disk. You won’t be able to access it from other operating systems if you have your computer configured to dual-boot. Even worse, if you boot into another OS and then access or change anything on the hard disk (or partition) that the hibernating Windows installation uses, it can cause corruption. If you’re dual booting, it’s best not to use Fast Startup or Hibernation at all.
Original article: https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/
I have a process that fork-execlp "iptables-restore file.rules". It looks like it doesn't have the permission since I don't see some of the rules not listed like INPUT DROP after the process executes. When I run this process as a root, it seems to be fine but not when I run as a user with following capabilities:
parent process - cap_kill,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
child ( iptables-restore ) - cap_net_admin,cap_net_raw+ei
What is the capability that I am missing?
I just got the same issue. My suspicion is that the issue is not about capabilities, but about simple filesystem permissions. The error I see is:
Fatal: can't open lock file /run/xtables.lock: Permission denied
The file is owned by root:root, and is RW only by the owner. So either change the file ownership to a group and chmod g+rw or use an alternative lock location using The XTABLES_LOCKFILE environment variable (based on iptables manual).
If anyone has a different solution I would love to hear about it.
I want to execute my scripts at boot time through systemd (OS is Fedora Core 16) from some non-root user (e.g. michael).
I don't need root privileges - I only want to run at boot time and at shutdown time some of my units in systemd. And I don't want to turn on a root user for this. I only want to use power of systemd syntax of units for starting and watching for my process (of course without root access). Is it possible?
I didn't find any help in the documentation. I only found in systemd(1) -> DIRECTORIES -> "User unit directories":
$ pkg-config systemd --variable=systemduserunitdir
/usr/lib/systemd/user
But the /usr/lib/systemd/user is:
drwxr-xr-x. 2 root root
I cannot imagine how I can use this directory as a non-root user...
This Arch Linux document may help.
systemd offers users the ability to run an instance of systemd to
manage their session and services. This allows users to start, stop,
enable, and disable units found within certain directories when
systemd is run by the user. This is convenient for daemons and other
services that are commonly run as a user other than root or a special
user, such as mpd.
They suggest starting a system --user instance via xinit, but I suppose you want to start the user services regardless of whether the user is logged in.
I would normally do that by adding an #reboot line to my crontab.
From Wikipedia:
#reboot can be useful if there is a need to start up a server or
daemon under a particular user, and the user does not have access to
configure init to start the program.
Maybe you can start systemd --user via #reboot!!!
Create a user systemd unit file for 'michael'.
Here's the magic to ensure users systemd process will kick off at boot instead of at login:
loginctl enable-linger michael
Full details
I have a web application (bugzilla) in apache that needs to use sendmail.cf . When it tries to use sendmail I get the error:
/etc/mail/sendmail.cf: line 0: cannot open: Permission denied
the web application is in group "apache"
Permissions for sendmail look like:
-rw-r--r-- 1 root root 58624 2008-03-29 05:27 sendmail.cf
What do the permissions for sendmail.cf have to look like in order to be accessed by apache but still be secure enough to lock out everyone else.
I have this issue in a Centos 7 and the answer was here:
http://www.mysysadmintips.com/linux/servers/591-sendmail-won-t-send-emails-on-centos-7-permission-denied
Quick 'sestatus' check revealed that the issue was caused by SELinux.
Running: getsebool httpd_can_sendmail returns off, which means that
Apache (httpd) doesn't have permission to send emails.
The issue was resolved by running: setsebool -P httpd_can_sendmail on
You should have a different .cf file for local submissions, usually called (something like) submit.cf - this will have a slightly different batch of settings specifically for SENDING mail (whereas sendmail.cf will be the part for RECEIVING mail). The submit.cf is safe to be globally readable, because (in theory) all processes on the box should be trusted to send email.
Set the user as root and the group as apache: chown root:apache sendmail.cf