QUEUE target and capabilities

QUEUE target and capabilities

[Nir Tzachar]

Hello.

I am writing an application which uses the QUEUE target, and
encountered a simple problem. My goal is to run the application
without root privileges. That is, start the program under root, call
ipq_create_handle, and then drop privileges.

However, as far as I can tell, I cannot communicate with the netlink
socket of netfilter unless the process has the CAP_NET_ADMIN
capability (I may be wrong, but I am basing this on:
/usr/src/linux/net/netfilter/nfnetlink.c:204:   if
(security_netlink_recv(skb, CAP_NET_ADMIN))
).

So, is there a way to use the QUEUE target _after_ dropping privilages?

thanks.

Re: QUEUE target and capabilities

[Patrick McHardy]

Nir Tzachar wrote:
> Hello.
> 
> I am writing an application which uses the QUEUE target, and
> encountered a simple problem. My goal is to run the application
> without root privileges. That is, start the program under root, call
> ipq_create_handle, and then drop privileges.
> 
> However, as far as I can tell, I cannot communicate with the netlink
> socket of netfilter unless the process has the CAP_NET_ADMIN
> capability (I may be wrong, but I am basing this on:
> /usr/src/linux/net/netfilter/nfnetlink.c:204:   if
> (security_netlink_recv(skb, CAP_NET_ADMIN))
> ).
> 
> So, is there a way to use the QUEUE target _after_ dropping privilages?


Apparently none besides simply keeping CAP_NET_ADMIN.