when process has required capabilities use them #2429
Description
Things to consider
- Please check that you are using the latest scapy version:
Yes, I am. the latest version is 2.4.3, here's output of $pip show scapy:
Name: scapy
Version: 2.4.3
Summary: Scapy: interactive packet manipulation tool
Home-page: https://scapy.net
Author: Philippe BIONDI
Author-email: guillaume@valadon.net
License: GPLv2
Location: /home/x/.local/lib/python3.8/site-packages
Requires:
Required-by:
Brief description
tcpdump not passed ambient CAP_NET_RAW capability given to python standalone exe aot compiled with nuitka
Environment
- Scapy version: 2.4.3
- Python version: 3.8
- Operating System: latest rolling arch linux release and updated packages as of today, output of $
uname -a:Linux archiver 5.4.12-arch1-1 #1 SMP PREEMPT Tue, 14 Jan 2020 21:44:31 +0000 x86_64 GNU/Linux
How to reproduce
use arping that uses tcpdump, add CAP_NET_RAW capability to python interpreter temporarly for testing or compile the script with nuitka and add the capability with setcomp to the standalone executable
Actual result
Traceback (most recent call last):
File "dist/watch_LAN.py", line 127, in <module>
File "dist/watch_LAN.py", line 87, in main
File "dist/watch_LAN.py", line 68, in mac_discovery
File "dist/scapy/layers/l2.py", line 628, in arping
File "dist/scapy/sendrecv.py", line 503, in srp
File "dist/scapy/arch/linux.py", line 475, in __init__
File "dist/scapy/arch/linux.py", line 160, in attach_filter
File "dist/scapy/arch/common.py", line 182, in compile_filter
scapy.error.Scapy_Exception: Failed to attach filter: tcpdump returned: b"tcpdump: lo: You don't have permission to capture on that device\n(socket: Operation not permitted)\n"
Expected result
tcpdump should be passed the capabilities and be able to capture raw packets
you can't set capabilities on a python script, or any script, with a shebang or not e.g bash script, however, python has compilers that can make a standalone executable that you can set capabilities on.
and you shouldn't set capabilities on interpreters:
the accepted answer on the question: Python Scapy sniff without root
proposes setting capabilities on the python interpreter and tcpdump, but this is not secure at all, this enables any python script to have those capabilities and anything that uses tcpdump too. the second answer proposes using a helper binary that you set the capabilities on and it passes them to the interpreter it starts, but this also has the first drawback of the first answer (allowing anything ran using that helper binary to have those capabilities)
I need the security of not using root and using linux capabilities instead.