Linux Raw Socket Permissions Issue

Question

I'm creating a raw ethernet socket in a C application, eg

s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

and its returning -1 indicating an error

I'm pretty sure its a permissions issue - You can only open a raw socket if you have a UID of 0 (root) or have the CAP_NET_RAW capability

I don't think running the application as root is reasonable, therefore my question is how can I 'add' the CAP_NET_RAW capability permission to my user account?

From http://manpages.ubuntu.com/manpages/zesty/en/man7/packet.7.html

   In order to create a packet socket, a process must have the CAP_NET_RAW
   capability in the user namespace that governs its network namespace.

But how does one achieve that end?

Answer 1

Being able to read all network packets is considered a severe security risk, that is why this needs a privileged account.

You can make the application "suid root" to elevate your own rights when starting this application as a "normal" user. But that is a security risk as well and needs a bit of thorough thinking when designing the application (it should at least give up the higher privilege as soon as it doesn't need it any more - ie after having opened the raw socket).

Answer 2

You cannot add the CAP_NET_RAW permission to your account, because capabilities on Linux do not follow users. They follow executables.

To make this work, you need to add the CAP_NET_RAW capability to your compiled executable. See the setcap command in order to see how to do that.

Answer 3

You set the capabilities on the executable that needs that capability, not a user account. The syntax is

setcap cap_net_raw,cap_net_admin=eip ./your_exeutable

(Note, you need to run setcap as root, so use eg sudo setcap ... Also make sure there are no space characters in cap_net_raw,cap_net_admin=eip