Is it possible to create a raw socket without root privileges? If not, can a script elevate its privileges itself?
是否可以创建一个没有root特权的原始套接字?如果不是,脚本可以提升它自己的特权吗?
I wrote a Python script using a raw socket:
我使用一个原始套接字编写了一个Python脚本:
#!/usr/bin/env python
import socket
rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x0800))
print "Worked!"
Running it with root privileges prints Worked!. However, it gives an error when run with normal user privileges.
使用root特权运行它,打印工作!但是,在使用普通用户权限运行时,它会出现错误。
I want to execute my script as a normal user, and it should create a raw socket without asking for anything. Is it possible?
我希望以普通用户的身份执行我的脚本,它应该创建一个原始套接字,而不需要任何要求。是可能的吗?
2 个解决方案
#1
10
As you noted raw sockets require higher privilege than a regular user have. You can circumvent this issue in two ways:
正如您所提到的,原始套接字需要比普通用户更高的特权。你可以通过以下两种方式来解决这个问题:
- Activating the SUID bit for the file with a command like
chmod +s fileand set its owner torootwithchown root.root file. This will run your script as root, regardless of the effective user that executed it. Of course this could be dangerous if your script has some flaw. - 使用类似chmod +s文件的命令激活该文件的SUID位,并将其所有者设置为具有chown根的根。根文件。这将以根用户的身份运行脚本,而不考虑执行脚本的有效用户。当然,如果您的脚本有一些缺陷,这可能是危险的。
- Setting the CAP_NET_RAW capability on the given file with a command like
setcap cap_net_raw+ep file. This will give it only the privileges required to open a raw socket and nothing else. - 使用setcap CAP_NET_RAW +ep文件等命令在给定文件上设置CAP_NET_RAW功能。这将只赋予它打开一个原始套接字所需的特权,除此之外别无其他。
EDIT:
编辑:
As pointed out by @Netch the given solutions will not work with any interpreted language (like Python). You will need some "hack" to make it work. Try googling for "Python SUID", you should find something.
正如@Netch指出的,给定的解决方案将不能使用任何解释语言(如Python)。你需要一些“技巧”来让它工作。试试用谷歌搜索“Python SUID”,你会发现一些东西。
#2
5
There is not a way for an unprivileged process (Python or otherwise) to elevate their own privileges. It's kind of the cornerstone of having this whole privileged/unprivileged users thinga-ma-jig. In regards to raw sockets, from manual page raw(7):
对于无特权的进程(Python或其他)来说,没有办法提升自己的特权。这是拥有所有特权/不特权用户的基础。对于原始套接字,从手动页原始(7):
Only processes with an effective user ID of 0 or the CAP_NET_RAW capability are allowed to open raw sockets.
只有具有有效的0或CAP_NET_RAW功能的进程才能打开原始的套接字。
User ID of 0 means root. See here for info about raw sockets on linux.
用户ID为0表示根。有关linux上的原始套接字的信息,请参见这里。
As pointed out in Faust's answer/comments you won't be able to directly set the CAP_NET_RAW capability for your python program, due to it being a script that gets executed by the Python interpreter, but there may be solutions out on the web that can get around this limitation.
正如Faust的答案/注释中所指出的,您将无法直接为您的python程序设置CAP_NET_RAW功能,因为它是一个由python解释器执行的脚本,但是web上可能有解决方案可以绕过这个限制。
#1
10
As you noted raw sockets require higher privilege than a regular user have. You can circumvent this issue in two ways:
正如您所提到的,原始套接字需要比普通用户更高的特权。你可以通过以下两种方式来解决这个问题:
- Activating the SUID bit for the file with a command like
chmod +s fileand set its owner torootwithchown root.root file. This will run your script as root, regardless of the effective user that executed it. Of course this could be dangerous if your script has some flaw. - 使用类似chmod +s文件的命令激活该文件的SUID位,并将其所有者设置为具有chown根的根。根文件。这将以根用户的身份运行脚本,而不考虑执行脚本的有效用户。当然,如果您的脚本有一些缺陷,这可能是危险的。
- Setting the CAP_NET_RAW capability on the given file with a command like
setcap cap_net_raw+ep file. This will give it only the privileges required to open a raw socket and nothing else. - 使用setcap CAP_NET_RAW +ep文件等命令在给定文件上设置CAP_NET_RAW功能。这将只赋予它打开一个原始套接字所需的特权,除此之外别无其他。
EDIT:
编辑:
As pointed out by @Netch the given solutions will not work with any interpreted language (like Python). You will need some "hack" to make it work. Try googling for "Python SUID", you should find something.
正如@Netch指出的,给定的解决方案将不能使用任何解释语言(如Python)。你需要一些“技巧”来让它工作。试试用谷歌搜索“Python SUID”,你会发现一些东西。
#2
5
There is not a way for an unprivileged process (Python or otherwise) to elevate their own privileges. It's kind of the cornerstone of having this whole privileged/unprivileged users thinga-ma-jig. In regards to raw sockets, from manual page raw(7):
对于无特权的进程(Python或其他)来说,没有办法提升自己的特权。这是拥有所有特权/不特权用户的基础。对于原始套接字,从手动页原始(7):
Only processes with an effective user ID of 0 or the CAP_NET_RAW capability are allowed to open raw sockets.
只有具有有效的0或CAP_NET_RAW功能的进程才能打开原始的套接字。
User ID of 0 means root. See here for info about raw sockets on linux.
用户ID为0表示根。有关linux上的原始套接字的信息,请参见这里。
As pointed out in Faust's answer/comments you won't be able to directly set the CAP_NET_RAW capability for your python program, due to it being a script that gets executed by the Python interpreter, but there may be solutions out on the web that can get around this limitation.
正如Faust的答案/注释中所指出的,您将无法直接为您的python程序设置CAP_NET_RAW功能,因为它是一个由python解释器执行的脚本,但是web上可能有解决方案可以绕过这个限制。