diff options
| author | Kelvin Zhang <zhangxp1998@gmail.com> | 2020-01-18 09:17:02 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-01-18 09:17:02 -0500 |
| commit | 833577e0b6d1e595303251fb0acf4608b5c85e7b (patch) | |
| tree | 973416378f36f632640eceb0c2de1fa9be786537 | |
| parent | 755d88cce1b5c9763c4f452e75c56b79e6850a4b (diff) | |
| parent | 075f858e8f10670ea8dcd27d9cb7ce5beb612e57 (diff) | |
Merge pull request #135 from zhangxp1998/setcap
Update description about capabilities needed
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | src/os/shared.rs | 2 |
2 files changed, 4 insertions, 4 deletions
@@ -54,7 +54,7 @@ cargo install bandwhich ``` This installs `bandwhich` to `~/.cargo/bin/bandwhich` but you need root priviliges to run `bandwhich`. To fix that, there are a few options: -- Give the executable elevated permissions: `sudo setcap cap_net_raw,cap_net_admin+ep ~/.cargo/bin/bandwhich` (not 100% the same as `sudo`, see explanation below) +- Give the executable elevated permissions: ``sudo setcap cap_sys_ptrace,cap_dac_read_search,cap_net_raw,cap_net_admin+ep `which bandwhich`` - Run `sudo ~/.cargo/bin/bandwhich` instead of just `bandwhich` - Create a symlink: `sudo ln -s ~/.cargo/bin/bandwhich /usr/local/bin/` (or another path on root's PATH) - Set root's PATH to match your own `sudo env "PATH=$PATH" bandwhich` @@ -89,10 +89,10 @@ OPTIONS: On Linux, you can give the `bandwhich` binary a permanent capability to use the required privileges, so that you don't need to use `sudo bandwhich` anymore: ```bash -sudo setcap cap_net_raw,cap_net_admin+ep "$HOME/.cargo/bin/bandwhich" +sudo setcap cap_sys_ptrace,cap_dac_read_search,cap_net_raw,cap_net_admin+ep `which bandwhich` ``` +`cap_sys_ptrace,cap_dac_read_search` gives `bandwhich` capability to list `/proc/<pid>/fd/` and resolve symlinks in that directory. It needs this capability to determine which opened port belongs to which process. `cap_net_raw,cap_net_admin` gives `bandwhich` capability to capture packets on your system. -This is not 100% the same as running `bandwhich` as `sudo`. The above `setcap` commands gives `bandwhich` capability to sniff network packets. In order to run, `bandwhich` also needs the ability to read `procfs`. Normally processes can read `procfs`, however, if your system has [hidepid](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/) enabled, this assumption might not hold. ### raw_mode `bandwhich` also supports an easier-to-parse mode that can be piped or redirected to a file. For example, try: diff --git a/src/os/shared.rs b/src/os/shared.rs index d336357..c509f91 100644 --- a/src/os/shared.rs +++ b/src/os/shared.rs @@ -174,6 +174,6 @@ fn eperm_message() -> &'static str { * Try running `bandwhich` with `sudo` * Build a `setcap(8)` wrapper for `bandwhich` with the following rules: - `cap_net_raw,cap_net_admin+ep` + `cap_sys_ptrace,cap_dac_read_search,cap_net_raw,cap_net_admin+ep` "# } |