스크립트(루비)가 있습니다.
require 'ffi/pcap'
pcap = FFI::PCap::Live.new(:dev => "wlan0", :timeout => 1)
pcap.loop() do |this,pkt|
puts pkt.body
end
스크립트를 실행하려고 하면 다음 오류가 발생합니다.
pcap_open_live(): wlan0: 이 장치에서 캡처할 권한이 없습니다(소켓: 작업이 허용되지 않음) (FFI::PCap::LibError)
Mac OS에서 이 코드를 실행하면 모든 것이 잘 작동합니다.
나는 시도했다:
sudo setcap cap_net_raw,cap_net_admin=eip ~/.rbenv/shims/ruby
sudo setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap
하지만 여전히 이 문제가 있습니다.
루트 없이 이 코드를 실행할 수 있나요? 사용자에게 스크립트를 통해 네트워크 장치를 사용할 수 있는 기능을 부여하시겠습니까?
답변1
예, 가능합니다. 하지만 먼저 루트 액세스 권한이 필요합니다. Linux 2.2부터 루트 권한을 분할하는 기능이 있습니다. 목록에서 다음을 사용할 수 있습니다.
setcap cap_net_raw,cap_net_admin=eip xxxx
xxxx는 실행 가능한 프로그램이므로 libpcap을 직접 호출할 수 있습니다.
기능 목록 다음 목록은 Linux에 구현된 기능과 각 기능이 허용하는 작업 또는 동작을 보여줍니다.
CAP_AUDIT_CONTROL (since Linux 2.6.11)
Enable and disable kernel auditing; change auditing filter
rules; retrieve auditing status and filtering rules.
CAP_AUDIT_READ (since Linux 3.16)
Allow reading the audit log via a multicast netlink socket.
CAP_AUDIT_WRITE (since Linux 2.6.11)
Write records to kernel auditing log.
CAP_BLOCK_SUSPEND (since Linux 3.5)
Employ features that can block system suspend (epoll(7)
EPOLLWAKEUP, /proc/sys/wake_lock).
CAP_CHOWN
Make arbitrary changes to file UIDs and GIDs (see chown(2)).
CAP_DAC_OVERRIDE
Bypass file read, write, and execute permission checks. (DAC
is an abbreviation of "discretionary access control".)
CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and
execute permission checks;
* invoke open_by_handle_at(2);
* use the linkat(2) AT_EMPTY_PATH flag to create a link to a
file referred to by a file descriptor.
CAP_FOWNER
* Bypass permission checks on operations that normally require
the filesystem UID of the process to match the UID of the
file (e.g., chmod(2), utime(2)), excluding those operations
covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH;
* set inode flags (see ioctl_iflags(2)) on arbitrary files;
* set Access Control Lists (ACLs) on arbitrary files;
* ignore directory sticky bit on file deletion;
* specify O_NOATIME for arbitrary files in open(2) and
fcntl(2).
CAP_FSETID
* Don't clear set-user-ID and set-group-ID mode bits when a
file is modified;
* set the set-group-ID bit for a file whose GID does not match
the filesystem or any of the supplementary GIDs of the
calling process.
CAP_IPC_LOCK
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
CAP_IPC_OWNER
Bypass permission checks for operations on System V IPC
objects.
CAP_KILL
Bypass permission checks for sending signals (see kill(2)).
This includes use of the ioctl(2) KDSIGACCEPT operation.
CAP_LEASE (since Linux 2.4)
Establish leases on arbitrary files (see fcntl(2)).
CAP_LINUX_IMMUTABLE
Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see
ioctl_iflags(2)).
CAP_MAC_ADMIN (since Linux 2.6.25)
Allow MAC configuration or state changes. Implemented for the
Smack Linux Security Module (LSM).
CAP_MAC_OVERRIDE (since Linux 2.6.25)
Override Mandatory Access Control (MAC). Implemented for the
Smack LSM.
CAP_MKNOD (since Linux 2.4)
Create special files using mknod(2).
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS)
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports (port
numbers less than 1024).
CAP_NET_BROADCAST
(Unused) Make socket broadcasts, and listen to multicasts.
CAP_NET_RAW
* Use RAW and PACKET sockets;
* bind to any address for transparent proxying.
CAP_SETGID
* Make arbitrary manipulations of process GIDs and
supplementary GID list;
* forge GID when passing socket credentials via UNIX domain
sockets;
* write a group ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SETFCAP (since Linux 2.6.24)
Set file capabilities.
CAP_SETPCAP
If file capabilities are not supported: grant or remove any
capability in the caller's permitted capability set to or from
any other process. (This property of CAP_SETPCAP is not
available when the kernel is configured to support file
capabilities, since CAP_SETPCAP has entirely different
semantics for such kernels.)
If file capabilities are supported: add any capability from
the calling thread's bounding set to its inheritable set; drop
capabilities from the bounding set (via prctl(2)
PR_CAPBSET_DROP); make changes to the securebits flags.
CAP_SETUID
* Make arbitrary manipulations of process UIDs (setuid(2),
setreuid(2), setresuid(2), setfsuid(2));
* forge UID when passing socket credentials via UNIX domain
sockets;
* write a user ID mapping in a user namespace (see
user_namespaces(7)).
CAP_SYS_ADMIN
Note: this capability is overloaded; see Notes to kernel
developers, below.
* Perform a range of system administration operations
including: quotactl(2), mount(2), umount(2), swapon(2),
setdomainname(2);
* perform privileged syslog(2) operations (since Linux 2.6.37,
CAP_SYSLOG should be used to permit such operations);
* perform VM86_REQUEST_IRQ vm86(2) command;
* perform IPC_SET and IPC_RMID operations on arbitrary System
V IPC objects;
* override RLIMIT_NPROC resource limit;
* perform operations on trusted and security Extended
Attributes (see xattr(7));
* use lookup_dcookie(2);
* use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before
Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
* forge PID when passing socket credentials via UNIX domain
sockets;
* exceed /proc/sys/fs/file-max, the system-wide limit on the
number of open files, in system calls that open files (e.g.,
accept(2), execve(2), open(2), pipe(2));
* employ CLONE_* flags that create new namespaces with
clone(2) and unshare(2) (but, since Linux 3.8, creating user
namespaces does not require any capability);
* call perf_event_open(2);
* access privileged perf event information;
* call setns(2) (requires CAP_SYS_ADMIN in the target
namespace);
* call fanotify_init(2);
* call bpf(2);
* perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2)
operations;
* use ptrace(2) PTRACE_SECCOMP_GET_FILTER to dump a tracees
seccomp filters;
* perform madvise(2) MADV_HWPOISON operation;
* employ the TIOCSTI ioctl(2) to insert characters into the
input queue of a terminal other than the caller's
controlling terminal;
* employ the obsolete nfsservctl(2) system call;
* employ the obsolete bdflush(2) system call;
* perform various privileged block-device ioctl(2) operations;
* perform various privileged filesystem ioctl(2) operations;
* perform privileged ioctl(2) operations on the /dev/random
device (see random(4));
* install a seccomp(2) filter without first having to set the
no_new_privs thread attribute;
* modify allow/deny rules for device control groups;
* employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
dump tracee's seccomp filters;
* employ the ptrace(2) PTRACE_SETOPTIONS operation to suspend
the tracee's seccomp protections (i.e., the
PTRACE_O_SUSPEND_SECCOMP flag).
* perform administrative operations on many device drivers.
CAP_SYS_BOOT
Use reboot(2) and kexec_load(2).
CAP_SYS_CHROOT
Use chroot(2).
CAP_SYS_MODULE
* Load and unload kernel modules (see init_module(2) and
delete_module(2));
* in kernels before 2.6.25: drop capabilities from the system-
wide capability bounding set.
CAP_SYS_NICE
* Raise process nice value (nice(2), setpriority(2)) and
change the nice value for arbitrary processes;
* set real-time scheduling policies for calling process, and
set scheduling policies and priorities for arbitrary
processes (sched_setscheduler(2), sched_setparam(2),
shed_setattr(2));
* set CPU affinity for arbitrary processes
(sched_setaffinity(2));
* set I/O scheduling class and priority for arbitrary
processes (ioprio_set(2));
* apply migrate_pages(2) to arbitrary processes and allow
processes to be migrated to arbitrary nodes;
* apply move_pages(2) to arbitrary processes;
* use the MPOL_MF_MOVE_ALL flag with mbind(2) and
move_pages(2).
CAP_SYS_PACCT
Use acct(2).
CAP_SYS_PTRACE
* Trace arbitrary processes using ptrace(2);
* apply get_robust_list(2) to arbitrary processes;
* transfer data to or from the memory of arbitrary processes
using process_vm_writev(2);
* inspect processes using kcmp(2).
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers
(MSRs, see msr(4));
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value
specified by /proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other
devices.
CAP_SYS_RESOURCE
* Use reserved space on ext2 filesystems;
* make ioctl(2) calls controlling ext3 journaling;
* override disk quota limits;
* increase resource limits (see setrlimit(2));
* override RLIMIT_NPROC resource limit;
* override maximum number of consoles on console allocation;
* override maximum number of keymaps;
* allow more than 64hz interrupts from the real-time clock;
* raise msg_qbytes limit for a System V message queue above
the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
msgctl(2));
* allow the RLIMIT_NOFILE resource limit on the number of "in-
flight" file descriptors to be bypassed when passing file
descriptors to another process via a UNIX domain socket (see
unix(7));
* override the /proc/sys/fs/pipe-size-max limit when setting
the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
command.
* use F_SETPIPE_SZ to increase the capacity of a pipe above
the limit specified by /proc/sys/fs/pipe-max-size;
* override /proc/sys/fs/mqueue/queues_max limit when creating
POSIX message queues (see mq_overview(7));
* employ the prctl(2) PR_SET_MM operation;
* set /proc/[pid]/oom_score_adj to a value lower than the
value last set by a process with CAP_SYS_RESOURCE.
CAP_SYS_TIME
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set
real-time (hardware) clock.
CAP_SYS_TTY_CONFIG
Use vhangup(2); employ various privileged ioctl(2) operations
on virtual terminals.
CAP_SYSLOG (since Linux 2.6.37)
* Perform privileged syslog(2) operations. See syslog(2) for
information on which operations require privilege.
* View kernel addresses exposed via /proc and other interfaces
when /proc/sys/kernel/kptr_restrict has the value 1. (See
the discussion of the kptr_restrict in proc(5).)
CAP_WAKE_ALARM (since Linux 3.0)
Trigger something that will wake up the system (set
CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).