Recent

Author Topic: Problem with linux capabilities and pcap  (Read 1465 times)

niels.hansen

  • Newbie
  • Posts: 3
Problem with linux capabilities and pcap
« on: September 17, 2021, 12:32:31 pm »
Hi,

I'm developing programs to monitor and test  specific devices on network at the very lowest level.

I use pcap for this and it works really well. However my programs under ubuntu / linux needs to to have elevated capabilities to run in particular since im using the PROMISCUOUS mode i.e. i'm grabbing data not really intended for me.

If I remove the linux sudo password check then I can put the below line in the "Compiler Commands" "Execute after" line. This will make the compiled programs work from command line with no additional elevation.

/usr/bin/sudo /sbin/setcap cap_net_raw,cap_net_admin=eip  "$TargetFile()"

My problem is that I cannot debug the program (when using "Run") since it appears that the elevated capabilites are not yet set when the debugger is invoked. Am I doing something wrong? - How do I make it work?

Thanks

Niels

« Last Edit: September 17, 2021, 12:34:15 pm by niels.hansen »

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: Problem with linux capabilities and pcap
« Reply #1 on: September 17, 2021, 12:46:54 pm »
I use POSIX capabilities heavily, applying them using much the way that you do... in fact somewhere in the bowels of the bug/wishlist system I've got a patch to extent the IDE with a "run as" for that specific task.

My experience is that I can't debug the generated code as an ordinary user, I've not researched this in depth since I suspect that GDB and capabilities are fundamentally and intentionally incompatible. So what I do is (notes from comment text follow

Code: Pascal  [Select][+][-]
  1. (* This requires that the program be running with sufficient capabilities to be *)
  2. (* able to create a unix-domain socket in /var/run and to bind to a port < 1024,*)
  3. (* however immediately after these operations it goes to a lot of trouble to    *)
  4. (* relinquish as many privileges as possible.                                   *)
  5. (*                                                                              *)
  6. (*  *   If linked with gtk2, it is not possible to run setuid root but explicit *)
  7. (*      capabilities may be added during installation:                          *)
  8. (*                                                                              *)
  9. (*      # setcap CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE,CAP_NET_RAW=p+e *gtk2    *)
  10. (*                                                                              *)
  11. (*      Note that capabilities are stored as extended attributes, which DO NOT  *)
  12. (*      normally accompany a file if it is subsequently copied.                 *)
  13. (*                                                                              *)
  14. (*  *   If linked with Qt, the program may be run setuid root:                  *)
  15. (*                                                                              *)
  16. (*      # chown root:root *qt                                                   *)
  17. (*      # chmod u+s *qt                                                         *)
  18. (*      # chmod g+s *qt                                                         *)
  19. (*                                                                              *)
  20. (*      or have extra capabilities as above.                                    *)
  21. (*                                                                              *)
  22. (*  *   In any case, the program may be started by the superuser (i.e. run as   *)
  23. (*      root).                                                                  *)
  24. (*                                                                              *)
  25. (*  *   It may be debugged by being run like                                    *)
  26. (*                                                                              *)
  27. (*      # gdbserver :2345 ./WatchPxx-x86_64-linux-gtk2                          *)
  28. (*                                                                              *)
  29. (*      with the Lazarus IDE debugger backend set to remote/gdbserver.          *)
  30. (*                                                                              *)
  31. (* After the ports have been bound, the CAP_DAC_OVERRIDE, CAP_NET_BIND_SERVICE  *)
  32. (* and CAP_NET_RAW permitted and effective capabilities are relinquished. If    *)
  33. (* the program is running setuid root, then it reverts to the actual user; if   *)
  34. (* it is running as root it assumes group and user IDs as given by the          *)
  35. (* ownership of the executable, or ID 65534 as ultimate fallback ("nobody" in   *)
  36. (* recent Debian releases).                                     MarkMLl.        *)
  37.  

Martin might have comments on alternative debuggers etc.

HTH, MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

 

TinyPortal © 2005-2018