[tproxy] tproxy non-root access
Jan Engelhardt
jengelh at linux01.gwdg.de
Thu Jul 20 09:53:50 CEST 2006
>> Is it true that my program needs to have root access in order to change
>> socket options with tproxy?
>
>You need CAP_NET_ADMIN capabilities.
>
>> If so, is there a workaround for it?
>
>Either change the code, or make sure your program somehow get's / keeps
>the CAP_NET_ADMIN caps.
>
>> Currently, I have a program running under a non-root user and needs to
>> use tproxy but it keeps getting "Operation not permmited" error when
>> trying to set socket option using tproxy.
>
>You can simply drop all capabilities except CAP_NET_ADMIN and be done with
>it. See the capabilities and prctl() manpage.
>
I used my very own kernel module for that,
http://jengelh.hopto.org/p/multiadm/
Loading it using `modprobe multiadm Netuid=31` gives UID 31 (squid in my
case) CAP_NET_ADMIN.
Jan Engelhardt
--
More information about the tproxy
mailing list