netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* QUEUE target and capabilities
@ 2007-10-21  7:17 Nir Tzachar
  2007-10-22 11:23 ` Patrick McHardy
  0 siblings, 1 reply; 2+ messages in thread
From: Nir Tzachar @ 2007-10-21  7:17 UTC (permalink / raw)
  To: netfilter-devel

Hello.

I am writing an application which uses the QUEUE target, and
encountered a simple problem. My goal is to run the application
without root privileges. That is, start the program under root, call
ipq_create_handle, and then drop privileges.

However, as far as I can tell, I cannot communicate with the netlink
socket of netfilter unless the process has the CAP_NET_ADMIN
capability (I may be wrong, but I am basing this on:
/usr/src/linux/net/netfilter/nfnetlink.c:204:   if
(security_netlink_recv(skb, CAP_NET_ADMIN))
).

So, is there a way to use the QUEUE target _after_ dropping privilages?

thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-10-22 11:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-21  7:17 QUEUE target and capabilities Nir Tzachar
2007-10-22 11:23 ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).