I would like regular users on my machine to be able to use tools like libpcap, tcpdump, etc. all on sockets which traditional require root permissions. For example, trying to capture packets over an interface as a regular user with tcpdump will return "Error: socket: Permission denied." Instead of granting root permissions to users, is it possible to change socket permissions to include specific (or simply all) users?

You can edit the /etc/sudoers file using the visudo command to grant any user (or any group) permission to execute any specific program. On my network I have configured sudoers to allow all users in a group called smbusers the ability to run mount.cifs and umount.cifs

I kind of simplified the situation or the sake of brevity. Unfortunately sudo and su are not an option. Is it possible to change the socket permissions?

But thanks for the suggestion, I actually did not know you could do that on a per application basis

I'll leave the specific socket question to someone more suited to answer that one but if su and sudo are not available you might look at the chmod +s permission.

The 's' execute option allows regular users to execute the program with the permissions of the owner. So if the command users need to execute (mount for example) is owned by root and you add the 's' permission then any user can execute the mount program and it will run as if being executed by root.

This probably doesn't help your socket permission but I thought I'd throw it out there just in case

resurfacing this one... +s is also not an option. does anyone know about the socket permissions?

The specific application you mentioned (tcpdump, or any application based on libpcap) is not available to mortal users, because it requires the use of the ethernet in promiscuous mode. As such, it is capable of reading arbitrary data on the network, and this is not something that should be available without root permission. Without having checked, I would assume that this is enforced by the kernel, in the TCP stack, as is therefore not subject to any permission changes at the filesystem or socket level.

--- rod.

Is there any way around this? I understand why it can be seen as malicious on a public machine, but this one is mine and Linux gives menthe power to modify it

Do you know what it is that prevents it? Is it something I can change through kernel modifications or is it part of something else?

As I said, I haven't explored the low-level details, but I feel certain that it would involve modifying the kernel. As you said, 'Linux gives me the power to'.
--- rod.

it looks like all capabilities are checked by capable() in kernel/capability.c ... so it seems as though I can add statements to ignore certain capabilities (always returning true for them). Just wanted to update the thread with a viable solution.

A list of the capabilities: http://www.kernel.org/doc/man-pages/...ilities.7.html