On Wednesday 09 June 2004 18:52, Shachar Shemesh wrote: > Hi all, > > I'm trying to provide a library call that will run a ping to a server. > The catch is that it needs to be done as a non-root user, and I would > like to avoid any solution that involves any SUID or root running > processes beyond what is already there. That leaves me, pretty much, > "ping".
Actually, not quite. You don't need to be root, you need your process to have the CAP_NET_RAW capability. This is not quite one and the same. You can start root and drop all privileges except the needed CAP_NET_RAW or even better - you can have a wrapper that starts as root, drops all unneeded caps and then execs the original program. See: http://www.securityfocus.com/infocus/1400 and also: http://www.linuxjournal.com/article.php?sid=5737 Hope this helps, Gilad -- Gilad ben-Yossef <[EMAIL PROTECTED]> Codefidence. A name you can trust(TM) http://www.codefidence.com ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
