在Linux 2.4上以普通用户身份进行原始套接字访问 [英] raw socket access as normal user on linux 2.4
问题描述
在嵌入式系统(2.4内核)中,我需要从root运行的进程 not 对eth0接口的原始套接字访问.
In an embedded system (2.4 kernel) I need raw socket access to the eth0 interface from a process not running as root.
我试图通过从命令行设置CAP_NET_RAW功能并以编程方式使用cap_set_proc()来解决此问题,但均未成功.似乎我没有这样做的权限,在程序中我在命令行上遇到了EPERM错误
I tried to address this problem by setting the CAP_NET_RAW capability from the command line and programmatically using cap_set_proc(), both with no success. It seems that I do not have the permission to do so, in the program I get an EPERM error, on the command line
无法在进程"1586"上设置上限:(不允许操作)
Failed to set cap's on process `1586': (Operation not permitted)
是否有更简单的方法来做我想做的事?如果没有,成功设置CAP_NET_RAW功能需要采取什么步骤?
Is there an easier way to do what I want? If not, what steps are necessary to successfully set the CAP_NET_RAW capability?
我具有root用户访问权限,但是以root用户身份永久运行该进程是没有选择的. libcap的版本为1.10,没有"setcap"二进制文件,而是"setpcaps".
I have root access, but running the process permanently as root is no option. The version of libcap is 1.10, there is no 'setcap' binary, but a 'setpcaps'.
编辑-回答乔治·斯科普索夫:
EDIT - answering George Skoptsov:
如果我理解正确,您的建议是使用setuid启动进程,然后设置CAP_NET_RAW功能,然后放弃特权.我使用以下代码尝试了此操作,但是即使caps命令未返回错误,它也似乎无法正常工作.注释掉seteuid()后,原始访问有效,但仅由于该进程以root身份运行,因此:
If I get you right, your suggestion is to start a process with setuid, then set the CAP_NET_RAW capability and then drop the privileges. I tried this with the following code, but it does not seem to work, even though the caps command do not return errors. With the seteuid() commented out, raw access works, but only since the process is running as root then:
cap_t caps = cap_get_proc();
cap_value_t cap_list[1];
cap_list[0] = CAP_NET_RAW;
if (cap_set_flag(caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1)
{
printf("cap_set_flag error");
}
if (cap_set_proc(caps) == -1)
{
printf("cap_set_proc error");
}
if (seteuid(getuid()) != 0)
{
printf("seteuid error");
}
function_that_needs_raw_access();
感谢您的帮助. 克里斯
Thanks for your help. Chris
推荐答案
通常,您需要根权限才能在接口上接收原始数据包.此限制是一项安全预防措施,因为接收原始数据包的进程可以访问使用该接口的所有其他进程和用户的通信.
Generally, you need root permissions to receive raw packets on an interface. This restriction is a security precaution, because a process that receives raw packets gains access to communications of all other processes and users using that interface.
但是,如果您有权访问计算机上的root用户,则可以使用 setuid 标志,即使您以非root用户身份执行该进程,也可以赋予该进程root特权 .
However, if you have access to root on the machine, you can use the setuid flag to give your process root privileges even when the process is executed as a non-root user.
首先,请确保在以root用户身份运行进程时成功设置了此功能.然后使用
First, ensure that this capability is set successfully when the process is run as root. Then use
sudo chown root process
sudo chmod ugo+s process
将root设置为进程的所有者,并设置setuid标志.然后,在其他用户运行该进程时,检查是否已设置此功能.因为此过程现在将具有 all 个超级用户特权,所以您应遵守安全预防措施,并在代码不再需要时(在启用CAP_NET_RAW之后)放弃特权.
to set root as owner of the process and set the setuid flag. Then check that the capability is set when the process is run by other users. Because this process will now have all superuser privileges, you should observe security precautions, and drop the privileges as soon as your code no longer requires it (after enabling the CAP_NET_RAW).
You can follow this method to ensure you're dropping them properly.
这篇关于在Linux 2.4上以普通用户身份进行原始套接字访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
