Raw capture capabilities (CAP_NET_RAW, CAP_NET_ADMIN) not working outside /usr/bin and friends for packet capture program using libpcap - McMap

About

Raw capture capabilities (CAP_NET_RAW, CAP_NET_ADMIN) not working outside /usr/bin and friends for packet capture program using libpcap

Asked 17/3, 2015 at 13:2 Answered 14/6, 2015 at 5:10

linux ubuntu wireshark libpcap linux-capabilities

I

1

14

TL;DR: Why are cap_net_raw, cap_net_admin capabilities only working in /usr/bin (or /usr/sbin), but not other places? Can this be configured someplace?

I'm having problems assigning capabilities to my C program utilizing libpcap in Ubuntu 14.04. Even after assigning capabilities using setcap(8) and checking it using getcap(8), I still get a permission error. It seems capabilities only work for executables in \usr\bin and friends.

My program test.c looks as follows:

#include <stdio.h>
#include <pcap.h>

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Specify interface \n");
        return -1;
    }
    char errbuf[PCAP_ERRBUF_SIZE];
    struct pcap* pcap = pcap_open_live(argv[1], BUFSIZ, 1, 0, errbuf);
    if (pcap == NULL) {
        printf("%s\n", errbuf);
        return -1;
    }
    return 0;
}

and is compiled with

gcc test.c -lpcap

generating a.out executable. I set capabilities:

sudo setcap cap_net_raw,cap_net_admin=eip ./a.out

And check to see that it looks right:

getcap a.out

which gives me

a.out = cap_net_admin,cap_net_raw+eip

Running a.out gives me:

./a.out eth0
eth0: You don't have permission to capture on that device (socket: Operation not permitted)

Running with sudo works as expected (program prints nothing and exits).

Here's the interesting part: If I move a.out to /usr/bin (and reapply the capabilities), it works. Vice versa: taking the capability-enabled /usr/bin/dumpcap from wireshark (which works fine for users in the wireshark group) and moving it out of /usr/bin, say to my home dir, reapplying the same capabilities, it doesn't work. Moving it back, it works.

SO: Why are these capabilities only working in /usr/bin (and /usr/sbin), but not other places? Can this be configured someplace?

Indo answered 17/3, 2015 at 13:2 Comment(2)

The test prog (with the capabilities as above) works AOK on my pretty much out of the box Fedora-21. Shot in the dark: Security permissions related ? (I know nothing specifically related to Ubuntu but I gather there's something called AppArmor on Ubuntu which might be similar to SELinux on Fedora). – Origen 19/3, 2015 at 18:23

You're probably right, @Origen ... I did try to disable AppArmor and unloading profiles (to no avail), but didn't go much further – Indo 20/3, 2015 at 10:46

F

15

This might be because your home directory is mounted with nosuid, which seems to prevent capabilities working. Ubuntu encrypts the home directory, and mounts that with ecryptfs as nosuid.

Binaries with capabilities work for me in /usr/, and /home/, but not my home directory.

The only reference I could find to nosuid defeating capabilities is this link: http://www.gossamer-threads.com/lists/linux/kernel/1860853#1860853. I would love to find an authoritative source.

Freeliving answered 14/6, 2015 at 5:10 Comment(5)

this should get many more upvotes since I also stumbled across this problem, scratching my head for a long time. I did not find this answer since the capability I was searching for was CAP_NET_BIND_SERVICE which should be mentioned here as well in hopes of more people finding this. – Quiescent 5/2, 2016 at 18:13

You can use getpcaps $(pidof ./a.out) to list the capabilities of the running process. Try sudo mount -o remount,suid /home and check whether it works then. – Mascon 7/6, 2016 at 12:19

Of note: this problem helped me solve an issue with python and bluetooth, resulting in the exception: _bluetooth.error: (1, 'Operation not permitted'). I am using the beacontools package with python3.6, and it relies on capabilities. Since many people develop in their home directory, this could be an issue for other packages as well. – Farfamed 28/5, 2018 at 15:12

Unfortunately it seems this problem won't be fixed anytime soon. Check bugs.launchpad.net/ecryptfs/+bug/1147348 – Adopt 31/1, 2019 at 12:21

Massive thumbs-up from here! Also wasted almost a week trying to fight this issue, in vain. None of the Linux-capabilities-howtos/-intros I've come across with mention this either. It's all just ping-this, ping-that. – Andes 27/4, 2022 at 8:10

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.