[RndTbl] latest kernel needs setcap even as root??
Trevor Cordes
trevor at tecnopolis.ca
Tue Nov 29 03:49:39 CST 2016
Just upgraded a few boxes to kernel 4.8.8-100.fc23. It seems this latest
kernel (or maybe 1 or 2 versions going back 1-2 months) changed something.
I have a script that generates pings (using SOCK_RAW to make its own
packets) that I run as root. Worked fine until now. In the new kernel I
get "Operation not permitted" on the socket() call. Digging around the
net, I found that I need to do:
setcap cap_net_raw+p /foo/myscript
Then when I run it, it works fine.
Ok, great, but *** I'm running the script as root ***!!! Huh? Since when
did root need to specify capabilities to run stuff as root? What is this,
Windows?
Is there some major paradigm change in the latest kernels where this is a
"feature" and not a bug? Just wanted to do a sanity check before I file a
bz.
Oh ya, selinux is disabled, so that's not the problem. Lots of chatter on
the net about this problem but everyone talking about it is talking about
the non-root use case. It would appear my issue is something brand new.
Aside: As for the script, I'm doing really wacky stuff on purpose, and I
really needed direct control over the packet, so I can't just abandon
SOCK_RAW.
More information about the Roundtable
mailing list