New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
why strace dumpcap
fail?
#221
Labels
Comments
run
|
On Thu, Aug 25, 2022 at 10:52 AM leveryd ***@***.***> wrote:
$ ***@***.*** ~]$ strace dumpcap
...
socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)) = -1 EPERM (Operation not permitted)
non-root user run dumpcap looks good, but run strace dumpcap looks bad. WHY?
As packet(7) says (and the code in
net/packet/af_packet.c:packet_create() corroborates), "In order to
create a packet socket, a process must have the CAP_NET_RAW
capability". This capability is obtained by the dumpcap binary by the
means of file capabilities, as "getcap `which dumpcap`" suggests
("/usr/bin/dumpcap cap_net_admin,cap_net_raw=eip"). Since dumpcap is
exec'ed by the strace's process (that is forked and already being
attached to the tracer one), the additional file permissions are
ignored, as documented in capabilities(7): "during the capability
transitions described above, file capabilities may be ignored
(treated as empty) for the same reasons that the set-user-ID and
set-group-ID bits are ignored", execve(2): "[t]he aforementioned
transformations of the effective IDs are not performed [...] if any of
the following is true: [...] the calling process is being ptraced.
[...] The capabilities of the program file (see capabilities(7)) are
also ignored if any of the above are true", and corroborated by the
code in fs/exec.c:check_unsafe_exec() and
security/commoncap.c:cap_bprm_creds_from_file(). It is only natural to
expect that one cannot simply elevate privileges for a ptrace'ed
process, after all.
As capabilities(7) also notes, "[w]hen attempting to strace(1)
binaries that have capabilities (or set-user-ID-root binaries), you
may find the -u <username> option useful".
…--
Eugene Syromyatnikov
***@***.***
***@***.***{ru|org}
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
non-root user run
dumpcap
looks good, but runstrace dumpcap
looks bad. WHY?dumpcap
can be installed byyum install wireshark
.The text was updated successfully, but these errors were encountered: