I have need to open a raw socket for link layer level packet sending and receiving.

mysock= socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL);

However, man raw(7) tell me:

"Only processes with an effective user id of 0 or the CAP_NET_RAW capability are allowed to open raw sockets."

But eventually I need to run this program in user mode also. And I have to log into the su mode to create this socket. Any idea how to resolve this?

sjcoder

Possibly two ways, run the program suid so it has the proper permission no matter who starts it. Or, create a daemon running as root that does the actual raw socket work and talk to the daemon over a regular socket from your user application.

Remember to drop privileges after getting the raw socket if you make your program setuid. Just make it the 1st thing your program does, then drop 'em.

"run the program suid so it has the proper permission no matter who starts it."

To follow up the discussion here. I have tried to open the raw socket I mentioned above with a project I created from KDevelop environment . I made setuid(0) before the socket() call, setuid(0) call retuned -1. Anyone give me a hint about the right way to do it.

Running a daemon at root would be too complicated for me.

Or should I write a driver module for this raw socket communication?

All your inputs are appreciated.

sjcoder

setuid(0) fails because you don't have the privileges. You need to set the set-uid bit on the executable: "chmod u+s /path/to/exec". Then use "setuid(getuid());" in your code to drop privileges.

(1) By "chmod u+s /path/to/exec", meaning I have to do this in the command line? Is anyway to resolve this in the code?

(2) Then use "setuid(getuid());" in your code to drop privileges.
I think I need do the best to drop the previlage before exit. What is the consequnce if some exception happen that made me missing the drop call?

Thanks,

sjcoder

No program can get root privileges by itself. It must have been granted by root manually.

I guess you only need the privileges to get the raw sockets. Dropping them right after obtaining it conforms to the best security practice. Then you can safely register signal handlers and do stuff without the risk of compromise in your program. Remember to setrlimit() with RLIMIT_CORE so any core file won't contain passwords and sensitive data that is passing through your network interfaces.

Thanks,

sjcoder[/QUOTE]

Want continue on this topic. After I open the raw socket as I mentioned. I set the sock to be IFF_PROMISC after socket() call. I then wrote a function to recieve the package. but I found out the recvfrom() call is really slow/stucked from time to time. Is anyone know what is the problem? I did not find the option/flag to set recvfrom() call do not wait even data is not availabe.

int receive_pkt(void *pCurBuff, size_t uiSize)
{
int iNumRecv = 0;
struct sockaddr_ll ll;
socklen_t len = sizeof(struct sockaddr_ll);
memset(&ll, 0, len);
#ifdef DEBUG_OUTPUT
printf("receive_pkt(): sock=%d\n", sock);
#endif
// Receive the User Buffer from the Source Address, Check if Error Returned
iNumRecv = recvfrom(sock, pCurBuff, uiSize, 0, (sockaddr*)&ll, &len);
......
}

sjcoder