使用功能打开特权端口而不是 root
[英]Use capabilities to open privileged ports without being root
问题描述
I'm trying to open privileged ports (as an example to use libcap) without being root.
我正在尝试打开特权端口(作为使用 libcap 的示例)而不是 root。
This is my code:这是我的代码:
// http_capabilities.cpp
#include <iostream>
#ifdef CLIENT
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#endif
#ifdef SERVER
#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/capability.h>
#endif
#ifdef SERVER
cap_t CAP_init(){
cap_t caps = cap_get_proc();
cap_value_t val = CAP_NET_BIND_SERVICE;//CAP_SETUID;
cap_set_flag(caps, CAP_EFFECTIVE, 1, &val, CAP_SET);
if (cap_set_proc(caps)) {
perror("failed to raise cap_net_bind_service");
exit(1);
}
return caps;
}
void CAP_close(cap_t caps){
if (cap_free(caps) == -1){
/* handle error */;
perror("CAPABILITY ERROR - cap_free_proc()");
}
}
#endif
int server(uint16_t PORT)
#ifdef SERVER
{
int server_fd, new_socket, valread;
struct sockaddr_in address;
int opt = 1;
int addrlen = sizeof(address);
char buffer[1024] = { 0 };
std::string app = "Hello from server";
const char* hello = app.c_str();
// Creating socket file descriptor
if ((server_fd = socket(AF_INET, SOCK_STREAM, 0))
== 0) {
perror("socket failed");
exit(EXIT_FAILURE);
}
// Forcefully attaching socket to the port 8080
if (setsockopt(server_fd, SOL_SOCKET,
SO_REUSEADDR | SO_REUSEPORT, &opt,
sizeof(opt))) {
perror("setsockopt");
exit(EXIT_FAILURE);
}
address.sin_family = AF_INET;
address.sin_addr.s_addr = INADDR_ANY;
address.sin_port = htons(PORT);
// Forcefully attaching socket to the port 8080
if (bind(server_fd, (struct sockaddr*)&address,
sizeof(address))
< 0) {
perror("bind failed");
exit(EXIT_FAILURE);
}
if (listen(server_fd, 3) < 0) {
perror("listen");
exit(EXIT_FAILURE);
}
if ((new_socket
= accept(server_fd, (struct sockaddr*)&address,
(socklen_t*)&addrlen))
< 0) {
perror("accept");
exit(EXIT_FAILURE);
}
valread = read(new_socket, buffer, 1024);
printf("%s\n", buffer);
send(new_socket, hello, strlen(hello), 0);
printf("Hello message sent\n");
// closing the connected socket
close(new_socket);
// closing the listening socket
shutdown(server_fd, SHUT_RDWR);
return 0;
}
#else
{
//non lo compilerà mai
//serve la ifdef per non dover linkare la libcap anche col client
return 0;
}
#endif
int client(uint16_t PORT){
int sock = 0, valread, client_fd;
struct sockaddr_in serv_addr;
std::string app = "Hello from client";
const char* hello = app.c_str();
char buffer[1024] = { 0 };
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n Socket creation error \n");
return -1;
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(PORT);
// Convert IPv4 and IPv6 addresses from text to binary
// form
if (inet_pton(AF_INET, "127.0.0.1", &serv_addr.sin_addr)
<= 0) {
printf(
"\nInvalid address/ Address not supported \n");
return -1;
}
if ((client_fd
= connect(sock, (struct sockaddr*)&serv_addr,
sizeof(serv_addr)))
< 0) {
printf("\nConnection Failed \n");
return -1;
}
send(sock, hello, strlen(hello), 0);
printf("Hello message sent\n");
valread = read(sock, buffer, 1024);
printf("%s\n", buffer);
// closing the connected socket
close(client_fd);
return 0;
}
int main(int argc, char const* argv[])
{
if(argc != 2){
std::cerr<< "wrong number of params passed, defaulting to port 80" <<argc<< std::endl;
}
uint16_t port = 80;
if(argc == 2)
port = atoi(argv[1]);
#ifdef SERVER
std::cout<< "server"<< std::endl;
cap_t cap = CAP_init();
server(port);
CAP_close(cap);
#endif
#ifdef CLIENT
std::cout<< "client"<< std::endl;
client(port);
#endif
}
I compile it with:我编译它:
g++ -DSERVER http_capabilities.cpp -Ilibcap/libcap -Ilibcap/libcap/include/ -lcap -Llibcap/libcap -o server_exe
# and
g++ -DCLIENT http_capabilities.cpp -Ilibcap/libcap -Ilibcap/libcap/include/ -lcap -Llibcap/libcap -o server_exe
I run it as:我将其运行为:
$ ./server_exe 88
I get:我得到:
failed to raise cap_net_bind_service: Operation not permitted
What am I doing wrong?我究竟做错了什么?
1 个解决方案
解决方案1
0 2022-09-22 14:35:31
You should be able to use a file capability to make this work:您应该能够使用文件功能来完成这项工作:
$ sudo setcap cap_net_bind_service=p ./server_exe
There is also a description of how to do this with a capable shared library on the Fully Capable libcap site. Full Capable libcap站点上还介绍了如何使用功能强大的共享库执行此操作。 I'm not sure how serious that is as a method, it does work.我不确定这作为一种方法有多严重,它确实有效。 It was mentioned in this answer: https://stackoverflow.com/a/69924486/5739452在这个答案中提到过: https://stackoverflow.com/a/69924486/5739452
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
linux重命名根拥有文件的功能 - linux capabilities to rename a root owned file
端口已打开,但没有人可以连接 - Ports open, but no one can connect
打开2个相邻的UDP临时端口 - Open 2 Adjacent UDP Ephemeral Ports
如何:非root用户的qml前端和root特权的工作线程 - how to: non-root qml frontend and root-privileged worker threads
QtQuick动画冻结在列表上并打开串行端口 - QtQuick animation freezing on list and open serial ports
检查 C/C++ 中的开放端口 - Checking for open ports in C/C++
如何在没有root的情况下“装载”在我的过程空间中? - How can I “mount” within my process space without being root?
如果应用程序未打开,应用程序如何处理? - How do applications handle ports if they are not open?
为什么根值没有被更新 - why is the root value not being updated
C ++初始化列表功能:调用函数而不初始化成员? - C++ initializer list capabilities: call functions without initializing member?
相关标签