Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
firstly appologies if this is the wrong section for this question.
I need to run a program that makes use of raw mode transfers across a network. This works fine as root, but the socket is blocked for other users.
I've discovered that I need to enable one of the capabilities called CAP_NET_RAW to do so as a user.
(this is why I've posted in this section as restricting capabilities seem security related...)
Man shows details of 'capabilities', as well as 'capget'.
When i call capget though, even as root, I get the following message:
Capget: operation not permitted.
I cannot find any details as to how to enable the capabilites.
I've googled for info, read all the sections of the manual that seem vaguely related to this, and can't find any clues.
No doubt this is a simple one, but I'm getting nowhere fast.
This is RH ES4.0 installed on a flash disk running on a cPCI card using a 32 bit Intel cpu.
Nothing special about the install, it runs just the same as the install on my desktop.
AFAIK POSIX capabilities like CAP_NET_RAW are and stay root's privilege (like using Spoon's lcap shows: all or nothing) and that's why traditionally them apps have been chmodded to be setuid root. If an application starts life with UID 0, then not dropping certain privs (a clear risk) can probably be accomplished programmatically, but for fine-grained *granting* of capabilities that aren't a users own "the new way" I think you'll need SELinux, GRSecurity or LIDS.
AFAIK POSIX capabilities like CAP_NET_RAW are and stay root's privilege (like using Spoon's lcap shows: all or nothing) and that's why traditionally them apps have been chmodded to be setuid root. If an application starts life with UID 0, then not dropping certain privs (a clear risk) can probably be accomplished programmatically, but for fine-grained *granting* of capabilities that aren't a users own "the new way" I think you'll need SELinux, GRSecurity or LIDS.
Thanks people, I didn't realise capabilities was not the preferred method.
I've gone the chmod setuid route for now, as it sorts the problem and gets things going.
I'll look into the other options if needs be. LIDS looks like it does what I want it to.
Many thanks for your quick responses. Now on to the next problem
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.