Open Source Program I have been working on lately on github and source forge.

[Gustavo 'Gus' Carreno]

Hey Y'all,

Finally got around to implement the Ping and trace Route tabs: Test IP Scanner latest release.

Under Linux you do have to run it using sudo for bot the Ping and Trace Route tabs to actually work.

Since I don't have access to a Windows machine, nor a macOS machine, I would greatly appreciate that people would test the binaries on the release section in order to see how one can get around the issue of raw sockets needing higher privilege.

Cheers,
Gus

[Gustavo 'Gus' Carreno]

Hey Y'All,

Here for another status update ( v0.3.5 ):

• The Thread Pool and the Thread Workers for the port scan are now working as they should.
• The Thread Worker, upon status report, now triggers the addition of child elements of the IP entry with the port scan result.
• Still need to implement the actual port scan code.

You can have a go on the executable binaries on the Test IP Scanner latest release.

Cheers,
Gus

[dbannon]

Gus while I have not done any testing yet, on the Mac version, you need to ship a something.app directory full of stuff rather than just the binary.

Davo

[Gustavo 'Gus' Carreno]

Hey Davo,

Gus while I have not done any testing yet, on the Mac version, you need to ship a something.app directory full of stuff rather than just the binary.

I always suspect that but never had the confirmation.

I think there's an option on Lazarus to include the mac bundle...
I should dig a bit more into that...

Nonetheless, many thanks Davo!!

Cheers,
Gus

[dbannon]

Gus, I am guessing you don't want to go the full bells and whistles package idea ?

In that case, I would just grab the directory, TestIPScanner.app that was probably made by Lazarus when you compiled the Mac binary. Down in there, Contents->MacOS is a symlink up to the TestIPScanner binary. Trash the symlink, replace it with the binary and tar up the TestIPScanner.app directory. Distribute that.

A Mac user (or at least the ones using a tool like this) will know to do something like -

$> open ./TestIPScanner.app <enter>

And the app will open. If you try and run a GUI app without the .app directory nonsense, the main menu and mouse don't work.

Davo

[Gustavo 'Gus' Carreno]

Hey Davo,

Gus, I am guessing you don't want to go the full bells and whistles package idea ?

I actually would, if some good soul would hold my hand and teach me how to do it under a GitHub runner with actions!!
Do you have such knowledge?
This would greatly improve the abilities of my CI/CD on GitHub related to macOS!

In that case, I would just grab the directory, TestIPScanner.app that was probably made by Lazarus when you compiled the Mac binary. Down in there, Contents->MacOS is a symlink up to the TestIPScanner binary. Trash the symlink, replace it with the binary and tar up the TestIPScanner.app directory. Distribute that.

A Mac user (or at least the ones using a tool like this) will know to do something like -

$> open ./TestIPScanner.app <enter>

And the app will open. If you try and run a GUI app without the .app directory nonsense, the main menu and mouse don't work.

Could you be a bit more specific, please?

This completely goes over my head in this present format.

Cheers,
Gus

[Gustavo 'Gus' Carreno]

Hey Davo,

Ok, I got to the point where I generated the Application Bundle and I understand the Content/MacOS symlink situation.

But I now have 2 questions:

• Do I need to fill the field NSPricipalClass on the macOS section of the Project Options->Application?
• I drop all my binaries on a bin folder from the root folder of the repository, so what is the best place for the executable binary itself in relation to the place of the application bundle folder?

Many, MANY thanks for all your help!!

Cheers,
Gus

[WayneSherman]

...on Linux/POSIX the ethernet layer is available only for root due to security considerations, unless you set the CAP_NET_RAW capability for the executable.

More info here:
https://stackoverflow.com/questions/37512291/how-is-ping-for-non-root-user-implemented-on-linux-distros
https://security.stackexchange.com/questions/263250/why-is-ping-special-why-do-unprivileged-pings-have-to-be-enabled

[Gustavo 'Gus' Carreno]

Hey Y'all,

...on Linux/POSIX the ethernet layer is available only for root due to security considerations, unless you set the CAP_NET_RAW capability for the executable.

More info here:
https://stackoverflow.com/questions/37512291/how-is-ping-for-non-root-user-implemented-on-linux-distros
https://security.stackexchange.com/questions/263250/why-is-ping-special-why-do-unprivileged-pings-have-to-be-enabled

Also found this on how to set capabilities: https://unix.stackexchange.com/questions/389879/how-to-set-capabilities-with-setcap-command

I'm having a go at it right now.

I don't think I understand it...

I have the file chown by root and the getcap command tells me it has the capability, but still no luck:

Code: [Select]

$ sudo getcap bin/TestIPScanner
bin/TestIPScanner cap_net_raw=ep
$ ll bin/TestIPScanner
.rwxrwxr-x root root 8.0 MB Fri Dec 22 13:04:26 2023 bin/TestIPScanner
Needs further investigation...

Cheers,
Gus

[WayneSherman]

I have the file chown by root and the getcap command tells me it has the capability, but still no luck:

Code: [Select]

$ sudo getcap bin/TestIPScanner
bin/TestIPScanner cap_net_raw=ep
$ ll bin/TestIPScanner
.rwxrwxr-x root root 8.0 MB Fri Dec 22 13:04:26 2023 bin/TestIPScanner

Is your executable file located on a filesystem mounted with nosuid?

Some reports say this will prevent cap_net_raw capability from working:
https://stackoverflow.com/questions/29099797/raw-capture-capabilities-cap-net-raw-cap-net-admin-not-working-outside-usr-b

https://unix.stackexchange.com/questions/699561/program-cannot-acquire-the-capabilities-it-needs-raw-sockets
"The problem seemed to be that /home is mounted with nosuid option and I was building & running from a git checkout that resides in my home directory."

[Gustavo 'Gus' Carreno]

Hey WayneSherman,

Is your executable file located on a filesystem mounted with nosuid?

Some reports say this will prevent cap_net_raw capability from working:
https://stackoverflow.com/questions/29099797/raw-capture-capabilities-cap-net-raw-cap-net-admin-not-working-outside-usr-b

https://unix.stackexchange.com/questions/699561/program-cannot-acquire-the-capabilities-it-needs-raw-sockets
"The problem seemed to be that /home is mounted with nosuid option and I was building & running from a git checkout that resides in my home directory."

AH HA, Yes, that makes a ton of sense. And yes, I was running the program from inside my $HOME folder, so I guess that kinda defeats the purpose 

Now, the question is: Does it need to be chown'ed by root, or any user will do as long as it has the capabilities bits set?

In any case, many thanks for drilling down this issue!!! Much, MUCH  appreciated!!! 🫂
This also means that I now need to add a bunch of stuff to the README.md file in order for people to understand how this works

EDIT
I'm giving up for the time being.

• I've moved the binary to /usr/bin/TestIPScanner, same place where ping is.
• I then used the setcap command on it while still under chown of my user: No luck!!
• I then chown root:root and then redid the setcap command: No luck!!

I read somewhere that Ubuntu SUID's ping. Alas, you cannot SUID a GTK app So, now I'm just throwing my hands up...

This is either a problem in the way Synapse processes the socket, or my inability to fully grasp the issue. Most probably the latter!! 

Cheers,
Gus

[dbannon]

• Do I need to fill the field NSPricipalClass on the macOS section of the Project Options->Application?
  

I honestly have no idea !

• I drop all my binaries on a bin folder from the root folder of the repository, so what is the best place for the executable binary itself in relation to the place of the application bundle folder?

Depends on your target user base. I sort of assume this app will attract the more technical Mac user who would understand things like this, so, they would be quite happy with your model. As would Linux users like you and me. But real Mac users expect quite different things. Some reading is indicated ....

I build my Mac packages using this packager tool -
https://github.com/andreyvit/create-dmg

Using this script that uses lazbuild to first make an x86_64 binary, then a arm64 binary, combine them somehow and then package with create-dmg
https://github.com/tomboy-notes/tomboy-ng/blob/master/package/mk_dmg.bash

Honestly, unless you know you have a heap of Mac users, its a lot of trouble. I'd concentrate on Linux and Windows packaging first. Just tar up that .app dir and ship that. A knowledgeable Mac user will manually put that dir in his/her Applications folder and be quite happy. When you next have a heap of time, revisit.

Davo

[Gustavo 'Gus' Carreno]

Hey Davo,

Many thanks for your assist!!

This is proving quite invaluable information and I'll have a good look at your tips to further my macOS packaging Fu!!
Again, cannot thank you enough for your impart of prior knowledge!!!

Cheers,
Gus

[Gustavo 'Gus' Carreno]

Hey Davo,

While helping a friend with GitHub CI/CD for a Flutter app, and after I analysed the contents of the "TheApp.app", I found out that flutter puts the actual binary, not a link to it, on the Contents/MacOS folder, which, to be honest, makes a ton of sense !!!

This way, I only need to drop the binary there, archive the folder, and Bob's your father's brother!!

Cheers,
Gus

[dbannon]

Yep, as I said further up this thread, "Trash the symlink, replace it with the binary and tar up the TestIPScanner.app directory. "

The symlink is a "lazarus-ism" so the binary the compiler builds does not need to be moved during development.

I did just distribute a zip of the .app directory in the early stages of my app. Had just one or two complaints. But I have very few Mac users anyway, I just make the DMG package so I can say its really "Cross Platform".

I have not tested it yet (other than on the Mac ) because my day to day machine still runs U20.04 and it does not like the version of glibc you have used.  ;-(

Need to fire up one of my many VMs.

Davo