[clug] Securing EtherApe with setcap
Bob Edwards
bob at cs.anu.edu.au
Tue Oct 11 07:11:24 UTC 2016
On 11/10/16 17:31, Bryan Kilgallin (PC) wrote:
> I recently installed EtherApe.
> http://etherape.sourceforge.net/
>
> {EtherApe requires root privileges to capture packets (but not to replay
> captured files). As such, there can be risks to the machine(s) running
> EtherApe when connected to the internet.}
> https://en.wikipedia.org/wiki/EtherApe#Security
>
> Please would someone explain the security procedure below. How can I set
> that to always/automatically be the case?
>
> {It doesn't need to run as root, it just needs to be able to perform
> some network-related tasks that exceed the usual user permissions. Just
> use the linux capabilites to only confer these permissions without
> giving superuser rights:
>
> sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/etherape}
> http://serverfault.com/questions/538879/how-secure-its-to-run-the-etherape-as-root
>
According to "man setcap" and https://linux.die.net/man/3/cap_from_text,
this command is a file-system operation, and, as such, is "permanent"
(ie. doesn't need to be repeated, unless undone by a subsequent setcap).
You are essentially telling the system that the /usr/bin/etherape
executable, when invoked by anyone, will run with the NET_RAW and
NET_ADMIN capabilities, for Effective, Inheritable and Permitted sets.
So, anyone logged into your system who runs etherape will be able to
see (and send) raw packets, as well as being able to fiddle with the
settings of interfaces etc.
Note that if you have eg. a web server running on the same machine, it
also will be able to read raw packets etc. - not necessarily something
you would want.
"setcap" needs to be run by "root", which is what the "sudo" bit does.
Note that the invocation of this command does not include the closing
'}'...
cheers,
Bob Edwards.
More information about the linux
mailing list