[clug] Securing EtherApe with setcap
Bob Edwards
bob at cs.anu.edu.au
Wed Oct 12 00:16:04 UTC 2016
On 11/10/16 19:24, Bryan Kilgallin (PC) wrote:
...
> I rebooted my PC and then opened a Terminal window. Next,
> "getcap etherape" resulted "etherape = cap_net_admin,cap_net_raw+eip".
So the capabilities have been set as expected.
...
> I'd like an intro reference on what might be raw etc. about packets.
Essentially, the kernel deals with the lower-levels of the network
protocol stack and only delivers the data part of a packet from the
transport layer (UDP, TCP or other) to an application (user-space
program).
As the transport layer is responsible for determining what "port" a
packet belongs to, it keeps network traffic flowing only to the intended
destination program. This significantly improves performance - only
one process gets "woken up" when a packet arrives, instead of all
processes who may be waiting for their own packets.
This is also part of the "security model" that Linux has inherited from
BSD and similar Unices etc. User-space programs are not trusted to see
or generate lower-level protocol packets (essentially, the protocol
headers).
The "raw" interface allows the kernel to deliver network packets from
the data-link layer (layer 2) to user-space programs, if they wish.
Programs running with the NET_RAW capability can request the kernel to
deliver packets from the raw interface. Programs running as "root" get
this capability automatically (unless blocked by SELinux - but that is
an entirely other kettle of fish...).
Programs such as EtherApe need to see the protocol headers, so need to
see the "raw" packets from the data-link layer.
I hope this helps.
Bob Edwards.
>
> Regards,
> Bryan.
>
More information about the linux
mailing list