[clug] Securing EtherApe with setcap
Bryan Kilgallin (PC)
bryan at netspeed.com.au
Tue Oct 11 07:44:57 UTC 2016
Thanks, Bob:
>> sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/etherape
The man synopsis says this.
{setcap [-q] [-v] (capabilities|-|-r) filename [ ... capabilitiesN fileN ]}
> According to "man setcap" and https://linux.die.net/man/3/cap_from_text,
> this command is a file-system operation, and, as such, is "permanent"
Etherape Properties (Permissions) says:
* owner root,
- access read & write;
* group root,
- access read-only;
* allow executing file as program.
> (ie. doesn't need to be repeated, unless undone by a subsequent setcap).
So I can close EtherApe and Terminal, and then come back later and
launch EtherApe with sudo. And I no longer need to use setcap?
> You are essentially telling the system that the /usr/bin/etherape
> executable, when invoked by anyone, will run with the NET_RAW and
> NET_ADMIN capabilities, for Effective, Inheritable and Permitted sets.
{CAP_NET_RAW
*
use RAW and PACKET sockets;
*
bind to any address for transparent proxying.}
{CAP_NET_ADMIN
Perform various network-related operations:
*
interface configuration;
*
administration of IP firewall, masquerading, and accounting
*
modify routing tables;
*
bind to any address for transparent proxying;
*
set type-of-service (TOS)
*
clear driver statistics;
*
set promiscuous mode;
*
enabling multicasting;
*}
https://linux.die.net/man/7/capabilities
The latter must be what {+eip} means.
> Note that if you have eg. a web server running on the same machine, it
> also will be able to read raw packets etc. - not necessarily something
> you would want.
Might you suggest an introductory Web explanatory resource? So as for
example to better understand what EtherApe reports.
> Note that the invocation of this command does not include the closing
> '}'.
How else might I quote here?
Regards,
Bryan.
--
www.netspeed.com.au/bryan/
==========================
More information about the linux
mailing list