search for: cap_net_raw

...to the stack? I thought VDUSE is vDPA in user space, >>> meaning to get to the kernel the packet has to first go thru >>> a virtio-net instance. >> >> yes. is that a sufficient filter in your opinion? > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > experience with virt so no strong opinion, perhaps it does make sense > for someone's deployment? Dunno.. > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE devices, as the devi...

...to the stack? I thought VDUSE is vDPA in user space, >>> meaning to get to the kernel the packet has to first go thru >>> a virtio-net instance. >> >> yes. is that a sufficient filter in your opinion? > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > experience with virt so no strong opinion, perhaps it does make sense > for someone's deployment? Dunno.. > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE devices, as the devi...

...in user space, > > > > meaning to get to the kernel the packet has to first go thru > > > > a virtio-net instance. > > > > > > yes. is that a sufficient filter in your opinion? > > > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > > experience with virt so no strong opinion, perhaps it does make sense > > for someone's deployment? Dunno.. > > > > I'm not sure CAP_NET_ADMIN should be required for creating...

...pace, >>>>> meaning to get to the kernel the packet has to first go thru >>>>> a virtio-net instance. >>>> >>>> yes. is that a sufficient filter in your opinion? >>> >>> Yes, the ability to create the device feels stronger than CAP_NET_RAW, >>> and a bit tangential to CAP_NET_ADMIN. But I don't have much practical >>> experience with virt so no strong opinion, perhaps it does make sense >>> for someone's deployment? Dunno.. >>> >> >> I'm not sure CAP_NET_ADMIN should be requ...

...888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still performs chown. Could you explain more? > some tools may not work, because of the missing file capabilities. > chown removes all file capabilities! try ping as user inside the > container. (missing file cap cap_net_admin,cap_net_raw) # getcap /usr/bin/ping # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received...

Hi All - I have wine installed from EPEL on CentOS 7. My .exe is running except I dont seem to have network ? So I tried a ping command. wine ping 192.168.1.1 0009:err:winediag:IcmpCreateFile Failed to use ICMP (network ping), this requires special permissions. Pinging 192.168.1.1 [192.168.1.1] with 32 bytes of data: PING: transmit failed. General failure.

...wayned at samba.org Reporter: rsync at sanitarium.net QA Contact: rsync-qa at samba.org Linux has added a concept called file capabilities. This allows certain binaries to perform specific privileged functions without requiring SUID root. Example: # getcap /bin/ping /bin/ping = cap_net_raw+ep Rsync should be able to (optionally of course) copy these attributes as it can copy xattrs and ACLs. They should also be storable via --fake-super on non-Linux systems. -- You are receiving this mail because: You are the QA Contact for the bug.

...rts updated under uid updated and gid updated > with CAP_SYS_ADMIN raised in the Effective set. > > sucap updated updated execcap 'cap_sys_admin=eip' update > Or if your kernel has support of file capiblies create a version of wine with a little more permissions. setfcaps -c cap_net_raw=p -e /bin/ping There has been no reason to run wine on Linux as root since late 2.2 linux kernels and early 2.4 linux kernels. Personally I really do wish that a bail out patch would get added to wine for all Linux systems. Even running services there is no reason for wine to be root.

Hi all, I have read through just about every relevant post on this site and I also experimented a bit and I'm looking for your opinion on a solution have come up with. I am attempting to connect a Linux web server to a monitoring package. This packages (absolutely) requires a Windows based probe on the same network as the Linux server. The probe itself uses SNMP, Ping, and Telnet to talk

..."shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> 668. there is a tool for this: uidmapshift some tools may not work, because of the missing file capabilities. chown removes all file capabilities! try ping as user inside the container. (missing file cap cap_net_admin,cap_net_raw) /stephan -- Software is like sex, it's better when it's free!

...ss-local), I'd like for my init setup to drop certain bits from the bounding set early on during bootup. I'm thinking of adding the following linux command line flag: capbset_drop=<comma separated list of capabilities> example: capbset_drop=CAP_SYS_RAWIO capbset_drop=CAP_SYS_RAWIO,CAP_NET_RAW I'm thinking that this option would drop the listed capabilities from the bounding set, as well as init's permitted, effective and inherited masks. I'd probably want to eventually also provide a way to set the securebits (they seem to operate in the same way?), though for now I'd...

...----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key and as before from the inside >> some tools may not work, because of the missing file capabilities. >> chown removes all file capabilities! try ping as user inside the >> container. (missing file cap cap_net_admin,cap_net_raw) > > # getcap /usr/bin/ping > # ping localhost > PING localhost (127.0.0.1) 56(84) bytes of data. > 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms > 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms > ^C > --- localhost ping statistic...

Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well

On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote: [...] > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway, > what about getting rid of the configure stuff entirely? > > Tested counterproposal: Looks reasonable. It's late here so I'm going to look at it tomorrow. > As for the comment preceeding the definition,

Hi! I with my colleagues from Samsung trying to run systemd in Linux container. I saw that the others are experimenting in this topic, so I would like to present the results of my work and tests, perhaps it will be helpful to others. As the prototype I used a manual written by Daniel: https://www.berrange.com/posts/2013/08/12/running-a-full-fedora-os-inside-a-libvirt-lxc-guest/ After many

...AP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADMIN), + MAKE_CAP(CAP_NET_RAW), + MAKE_CAP(CAP_IPC_LOCK), + MAKE_CAP(CAP_IPC_OWNER), + MAKE_CAP(CAP_SYS_MODULE), + MAKE_CAP(CAP_SYS_RAWIO), + MAKE_CAP(CAP_SYS_CHROOT), + MAKE_CAP(CAP_SYS_PTRACE), + MAKE_CAP(CAP_SYS_PACCT), + MAKE_CAP(CAP_SYS_ADMIN), + MAKE_CAP(CAP_SYS_BOOT), + MAKE_CAP(CAP_SYS_NICE), + MAKE_CAP(CAP_SYS_RESOURCE...

...the LAN workgroup and has windows clients today (something I had hoped to change) Client installed through shared folder TeleVantage/netsetup/client.exe winetricks mdac28 (ADODB.Connection.2.8 {00000514-0000-0010-8000-00AA006D2EA4}) sudo apt-get install libcap2-bin (installs setcap) sudo setcap cap_net_raw+epi /usr/bin/wine-preloader When I enter the IP of the server and user info at Log On, I get the message "Could not connect to the server on <IP>. Server components are not installed." When SERVERNAME is used I get "Could not connect to the database on <SERVERNAME>. Plea...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

Hi there, I'm trying to run Lite Manager on Ubuntu 11.10 using Wine 1.3, but all I get is a "program encountered a serious problem" screen. Any chance that someone could help me with this? :/