any way to change socket permissions to regular users?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
any way to change socket permissions to regular users?
I would like regular users on my machine to be able to use tools like libpcap, tcpdump, etc. all on sockets which traditional require root permissions. For example, trying to capture packets over an interface as a regular user with tcpdump will return "Error: socket: Permission denied." Instead of granting root permissions to users, is it possible to change socket permissions to include specific (or simply all) users?
Distribution: Fedora 18, Slackware64 13.37, Windows 7/8
Posts: 386
Rep:
You can edit the /etc/sudoers file using the visudo command to grant any user (or any group) permission to execute any specific program. On my network I have configured sudoers to allow all users in a group called smbusers the ability to run mount.cifs and umount.cifs
I kind of simplified the situation or the sake of brevity. Unfortunately sudo and su are not an option. Is it possible to change the socket permissions?
But thanks for the suggestion, I actually did not know you could do that on a per application basis
Distribution: Fedora 18, Slackware64 13.37, Windows 7/8
Posts: 386
Rep:
Quote:
Originally Posted by hedpe
I kind of simplified the situation or the sake of brevity.
I'll leave the specific socket question to someone more suited to answer that one but if su and sudo are not available you might look at the chmod +s permission.
The 's' execute option allows regular users to execute the program with the permissions of the owner. So if the command users need to execute (mount for example) is owned by root and you add the 's' permission then any user can execute the mount program and it will run as if being executed by root.
This probably doesn't help your socket permission but I thought I'd throw it out there just in case
The specific application you mentioned (tcpdump, or any application based on libpcap) is not available to mortal users, because it requires the use of the ethernet in promiscuous mode. As such, it is capable of reading arbitrary data on the network, and this is not something that should be available without root permission. Without having checked, I would assume that this is enforced by the kernel, in the TCP stack, as is therefore not subject to any permission changes at the filesystem or socket level.
Is there any way around this? I understand why it can be seen as malicious on a public machine, but this one is mine and Linux gives menthe power to modify it
Do you know what it is that prevents it? Is it something I can change through kernel modifications or is it part of something else?
As I said, I haven't explored the low-level details, but I feel certain that it would involve modifying the kernel. As you said, 'Linux gives me the power to'.
--- rod.
it looks like all capabilities are checked by capable() in kernel/capability.c ... so it seems as though I can add statements to ignore certain capabilities (always returning true for them). Just wanted to update the thread with a viable solution.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.