Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use iptables trough iptc, enables rootless operation #41

Closed
wants to merge 1 commit into from
Closed

Use iptables trough iptc, enables rootless operation #41

wants to merge 1 commit into from

Conversation

adisbladis
Copy link
Contributor

Related to #38

Provided I do setcap 'cap_net_raw,cap_dac_override,cap_net_admin=+ep' $(which python2) I can run opensnitch with an unprivileged user.

Needed cap_net_raw because of how communication with the kernel happens from iptables.

I say we still keep #38 open though, this is a larger issue

@evilsocket
Copy link
Owner

is it dependant on this #43 ?

@adisbladis
Copy link
Contributor Author

No it's not

@evilsocket
Copy link
Owner

Question: how do we execute setcap on first run in order not to have the user do it? Maybe we should require root for first run, setcap on ourself and then re-run without root?

@adisbladis
Copy link
Contributor Author

adisbladis commented May 5, 2017
edited
Loading

We don't. We would have to do setcap on the whole python interpreter which is bad for obvious reasons.
I see this more as a nice PoC (and much better than invoking external commands).

This should also translate fairly well to libiptc if we decide to go down that route (writing the daemon in a compiled language).

@evilsocket
Copy link
Owner

Not sure if I want to merge it on master tbh ...

@adisbladis
Copy link
Contributor Author

I think it's fine to leave this unmerged. It's not a very significant improvement.
This was mostly me wanting to explore what was needed to run something like this without running as root.

@evilsocket
Copy link
Owner

👍

@adisbladis
Copy link
Contributor Author

I'm closing this, lets keep it in mind as a future reference :)

@adisbladis adisbladis closed this May 5, 2017
@evilsocket
Copy link
Owner

absolutely, great job btw 👍

adisbladis added a commit that referenced this pull request Jun 2, 2017
@adisbladis
Use iptables trough iptc, enables rootless operation
35ce8b1 
Reviving my PR #41 and
polishing it up a bit for easier usage
@adisbladis adisbladis mentioned this pull request Jun 2, 2017
Merged
gustavo-iniguez-goya added a commit that referenced this pull request Dec 9, 2020
@gustavo-iniguez-goya
close nfqueue descriptors gracefully
b547067 
When the daemon is stopped, we need to close opened netfilter recurses.
Otherwise we can fall into a situation where we leave NFQUEUE queues
opened, which causes opensnitch to not run anymore until system restart
or a manual intervention, because there's a NFQUEUE queue already created
with the same ID.

This is what was happening as a collateral effect of #41.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adisbladis @evilsocket