Sock_raw Issue with setuid&chroot-ed login on Linux Servers (still unresolved) __linux

Source: Internet
Author: User
Problem:when using function socket (AF_INET, Sock_raw, ipproto_tcp ...) With setuid&chroot-ed fake root on Linux servers, it would always fail. However, the real root can work. Usually the fake root can do most things that root login required.
After investigation, got following hints:according to Mans page Of sock_raw (7), "Only processes with a effective US Er ID of 0 or the CAP_NET_RAW capability are allowed to open RAW sockets. According to capabilities (7)-Linux Mans page, "for the purpose of performing permission checks, traditional UNIX imp Lementations distinguish two categories of processes:privileged processes (whose effective user ID is 0, referred to as S Uperuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass All kernel permission checks-while unprivileged processes are subject to full permission Chec King based on the process ' s credentials (usually:effective UID, effective GID, and supplementary group list). Starting with kernel 2.2, Linux divides privileges traditionally with associated to into superuser distinct, units As capabilities, which can be independently enabled and disabled. Capabilities are a Per-thread attribute. Cap_net_raw useRAW and PACKET sockets. In raw socket access as normal user on Linux 2.4, Setuid is suggested, but it didn ' t work. Since we can ' t provide root login to all users, we must either find a way to let raw sockets work Oot-ed login, or substitute raw sockets with other options. 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.