using setcap rather than running as root about nethogs HOT 5 CLOSED

Good one! This is already possible by compiling with NEEDROOT=0, but doing this by default and documenting it seems like a good idea.

We do have to make sure we give nice error messages for the case where someone runs nethogs without having this capability set.

I'm not sure we should recommend giving the capability to the binary or to the user: giving it to the binary might open potential security holes.

from nethogs.

Thanks for your reply!

Here is a patch that test capabilities and provides error messages in the NEEDROOT=0 case #72

In terms of security, yes it's something to be careful about. I found this writeup good https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271

the relevant part:

CAP_NET_ADMIN: generic: among other things, allows administration of the firewall, which can redirect packets destined for the system's network services to trojaned services with the intent to steal credentials or exploit the client. Kernels between August 2009 and March 2011 also allowed a user with CAP_NET_ADMIN to load any module in the normal search paths (ex: ifconfig xfs loads the xfs module if present), increasing the kernel's attack surface greatly.
CAP_NET_RAW: generic: can sniff and redirect any local network service to a trojan, similar to the CAP_NET_ADMIN attack (thanks to the commenter below)

so if the program was exploited it could do some damage, but it is safer to run it that way as to run it as root.

Perhaps the optimal setup would be to make it only executable by a certain group (then root can assign users to that group) similar to how wireshark is set up.

Anyway, whatever you feel is best! Looking forward to hear what your thoughts are on this.

from nethogs.

Fixed in #72 !

from nethogs.

Is it working for you, guys? I've compiled the latest version from master, did cd src; sudo setcap cap_net_raw,cap_net_admin=eip ./nethogs, ran ./nethogs. Interfaced appeared, but there is only one line root unknown TCP and UI is not changing. Any hints on what I'm doing wrong?

EDIT: it works if I run it with sudo, though.

from nethogs.

That is very strange because you do everything right and it should work but isn't.

It sounds like the capability check is passing too, which is even weirder. I'm sorry but I don't know how to debug that or what might be wrong.

from nethogs.