Comments (5)
Good one! This is already possible by compiling with NEEDROOT=0
, but doing this by default and documenting it seems like a good idea.
We do have to make sure we give nice error messages for the case where someone runs nethogs without having this capability set.
I'm not sure we should recommend giving the capability to the binary or to the user: giving it to the binary might open potential security holes.
from nethogs.
Thanks for your reply!
Here is a patch that test capabilities and provides error messages in the NEEDROOT=0
case #72
In terms of security, yes it's something to be careful about. I found this writeup good https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271
the relevant part:
CAP_NET_ADMIN: generic: among other things, allows administration of the firewall, which can redirect packets destined for the system's network services to trojaned services with the intent to steal credentials or exploit the client. Kernels between August 2009 and March 2011 also allowed a user with CAP_NET_ADMIN to load any module in the normal search paths (ex: ifconfig xfs loads the xfs module if present), increasing the kernel's attack surface greatly.
CAP_NET_RAW: generic: can sniff and redirect any local network service to a trojan, similar to the CAP_NET_ADMIN attack (thanks to the commenter below)
so if the program was exploited it could do some damage, but it is safer to run it that way as to run it as root.
Perhaps the optimal setup would be to make it only executable by a certain group (then root can assign users to that group) similar to how wireshark is set up.
Anyway, whatever you feel is best! Looking forward to hear what your thoughts are on this.
from nethogs.
Fixed in #72 !
from nethogs.
Is it working for you, guys? I've compiled the latest version from master, did cd src; sudo setcap cap_net_raw,cap_net_admin=eip ./nethogs
, ran ./nethogs
. Interfaced appeared, but there is only one line root unknown TCP
and UI is not changing. Any hints on what I'm doing wrong?
EDIT: it works if I run it with sudo, though.
from nethogs.
That is very strange because you do everything right and it should work but isn't.
It sounds like the capability check is passing too, which is even weirder. I'm sorry but I don't know how to debug that or what might be wrong.
from nethogs.
Related Issues (20)
- on each launch nethogs show different top usage IP HOT 3
- macos problem HOT 1
- Memory steadily climbs in -v 3 -s mode HOT 1
- make libnethogs have error HOT 1
- error when making libnethogs HOT 4
- Does nethogs support multicast ip addresses such as "239.0.0.1"?
- Good
- Compiling errors in Centos 7.9 HOT 6
- 100% CPU usage in libnethogs when invoking multiple times in an application. Fix suggested.
- Pointless function
- nethogs seems to be unable to calculate network usage properly on Ubuntu 22.10 HOT 2
- How to keep it running in background.
- How to cross-compile the nethogs?
- unintelligible units HOT 7
- Error dispatching for device enp5s0f4u2: The interface disappeared
- feature request: show destination IP
- Create KDE system monitor sensor face
- [Question] License terms when using libnethogs dynamically linked HOT 3
- -P processID1 processID2 ... processIDn HOT 1
- nethogs keeps counting network usage for a process that long terminated HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nethogs.