SIMH & root

From: David Holland <dholland_at_woh.rr.com>
Date: Thu Sep 2 07:26:39 2004

On Thu, 2 Sep 2004, Patrick Finnegan wrote:

<snip>

>
> Under the 2.6 linux kernel, you should be able to use capabilities to
> effect the same result, without opening up the entire "running a
> process as root" bag of worms. Just don't ask me how, as I've never
> used them yet, I just know that they are (should be) there.

Judging by the includes, it looks like there's a CAP_NET_RAW that'll allow a
process to access PACKET sockets. However, as far as I can tell, you
still have to be root to initialize them, and you still end up dropping
your root privileges.

They're also a little Linux specific for SIMH (imho) setuid(), setgid(), and
chroot() exist on most Unix's I know of. (Yes, alegedly capabilities are a
POSIX draft, but cap_init() & friends don't exist on Solaris, nor HPUX)

I suppose the one advantage to capabilities would be that you could retain
your ability to attach/detach network devices once you've dropped your root
privileges.

The one Linux specific bit of code I _DO_ intend to take a stab at is getting
rid of the promiscuous mode requirement. I figure adding a ethernet
address to the mac filter list w/ a promiscuous mode fallback is at least
slightly better.

But FWIW, I'll tidy up this patch and ship it off to Bob Supnik here in a few..

David

>
> Pat
> --
> Purdue University ITAP/RCS --- http://www.itap.purdue.edu/rcs/
> The Computer Refuge --- http://computer-refuge.org
>
Received on Thu Sep 02 2004 - 07:26:39 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:37:26 BST