[clug] Securing EtherApe with setcap
Bryan Kilgallin (PC)
bryan at netspeed.com.au
Tue Oct 11 08:24:15 UTC 2016
Dear Bob:
> According to "man setcap" and https://linux.die.net/man/3/cap_from_text,
> this command is a file-system operation, and, as such, is "permanent"
> (ie. doesn't need to be repeated, unless undone by a subsequent setcap).
>
> You are essentially telling the system that the /usr/bin/etherape
> executable, when invoked by anyone, will run with the NET_RAW and
> NET_ADMIN capabilities, for Effective, Inheritable and Permitted sets.
I rebooted my PC and then opened a Terminal window. Next,
"getcap etherape" resulted "etherape = cap_net_admin,cap_net_raw+eip".
> So, anyone logged into your system who runs etherape will be able to
> see (and send) raw packets, as well as being able to fiddle with the
> settings of interfaces etc.
I'd like an intro reference on what might be raw etc. about packets.
Regards,
Bryan.
--
www.netspeed.com.au/bryan/
==========================
More information about the linux
mailing list