search for: cap_net_raw

Displaying 19 results from an estimated 19 matches for "cap_net_raw".

2023 Aug 29
1
[PATCH v3 0/3] vduse: add support for networking devices
...to the stack? I thought VDUSE is vDPA in user space, >>> meaning to get to the kernel the packet has to first go thru >>> a virtio-net instance. >> >> yes. is that a sufficient filter in your opinion? > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > experience with virt so no strong opinion, perhaps it does make sense > for someone's deployment? Dunno.. > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE devices, as the devi...
2023 Aug 29
1
[PATCH v3 0/3] vduse: add support for networking devices
...to the stack? I thought VDUSE is vDPA in user space, >>> meaning to get to the kernel the packet has to first go thru >>> a virtio-net instance. >> >> yes. is that a sufficient filter in your opinion? > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > experience with virt so no strong opinion, perhaps it does make sense > for someone's deployment? Dunno.. > I'm not sure CAP_NET_ADMIN should be required for creating the VDUSE devices, as the devi...
2023 Aug 29
1
[PATCH v3 0/3] vduse: add support for networking devices
...in user space, > > > > meaning to get to the kernel the packet has to first go thru > > > > a virtio-net instance. > > > > > > yes. is that a sufficient filter in your opinion? > > > > Yes, the ability to create the device feels stronger than CAP_NET_RAW, > > and a bit tangential to CAP_NET_ADMIN. But I don't have much practical > > experience with virt so no strong opinion, perhaps it does make sense > > for someone's deployment? Dunno.. > > > > I'm not sure CAP_NET_ADMIN should be required for creating...
2023 Aug 30
1
[PATCH v3 0/3] vduse: add support for networking devices
...pace, >>>>> meaning to get to the kernel the packet has to first go thru >>>>> a virtio-net instance. >>>> >>>> yes. is that a sufficient filter in your opinion? >>> >>> Yes, the ability to create the device feels stronger than CAP_NET_RAW, >>> and a bit tangential to CAP_NET_ADMIN. But I don't have much practical >>> experience with virt so no strong opinion, perhaps it does make sense >>> for someone's deployment? Dunno.. >>> >> >> I'm not sure CAP_NET_ADMIN should be requ...
2014 Feb 27
2
Re: [libvirt] LXC, user namespaces and systemd
...888(foo1)). Mapping looks properly. Why use uidmapshift ?, it still performs chown. Could you explain more? > some tools may not work, because of the missing file capabilities. > chown removes all file capabilities! try ping as user inside the > container. (missing file cap cap_net_admin,cap_net_raw) # getcap /usr/bin/ping # ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms ^C --- localhost ping statistics --- 2 packets transmitted, 2 received...
2019 Apr 10
1
WINE on CentOS 7
Hi All - I have wine installed from EPEL on CentOS 7. My .exe is running except I dont seem to have network ? So I tried a ping command. wine ping 192.168.1.1 0009:err:winediag:IcmpCreateFile Failed to use ICMP (network ping), this requires special permissions. Pinging 192.168.1.1 [192.168.1.1] with 32 bytes of data: PING: transmit failed. General failure.
2015 Jul 31
1
[Bug 11422] New: Feature request: add support for Linux libcap[-ng]
...wayned at samba.org Reporter: rsync at sanitarium.net QA Contact: rsync-qa at samba.org Linux has added a concept called file capabilities. This allows certain binaries to perform specific privileged functions without requiring SUID root. Example: # getcap /bin/ping /bin/ping = cap_net_raw+ep Rsync should be able to (optionally of course) copy these attributes as it can copy xattrs and ACLs. They should also be storable via --fake-super on non-Linux systems. -- You are receiving this mail because: You are the QA Contact for the bug.
2008 Feb 20
0
No subject
...rts updated under uid updated and gid updated > with CAP_SYS_ADMIN raised in the Effective set. > > sucap updated updated execcap 'cap_sys_admin=eip' update > Or if your kernel has support of file capiblies create a version of wine with a little more permissions. setfcaps -c cap_net_raw=p -e /bin/ping There has been no reason to run wine on Linux as root since late 2.2 linux kernels and early 2.4 linux kernels. Personally I really do wish that a bail out patch would get added to wine for all Linux systems. Even running services there is no reason for wine to be root.
2008 Sep 12
2
Windows SNMP Probe via Wine
Hi all, I have read through just about every relevant post on this site and I also experimented a bit and I'm looking for your opinion on a solution have come up with. I am attempting to connect a Linux web server to a monitoring package. This packages (absolutely) requires a Windows based probe on the same network as the Linux server. The probe itself uses SNMP, Ping, and Telnet to talk
2014 Feb 26
0
Re: [libvirt] LXC, user namespaces and systemd
..."shift" the uids for the container 0 -> 666, 1 -> 667, 2 -> 668. there is a tool for this: uidmapshift some tools may not work, because of the missing file capabilities. chown removes all file capabilities! try ping as user inside the container. (missing file cap cap_net_admin,cap_net_raw) /stephan -- Software is like sex, it's better when it's free!
2011 Jul 15
1
[PATCH 2/2] x86: Allow disabling of sys_iopl, sys_ioperm
...ss-local), I'd like for my init setup to drop certain bits from the bounding set early on during bootup. I'm thinking of adding the following linux command line flag: capbset_drop=<comma separated list of capabilities> example: capbset_drop=CAP_SYS_RAWIO capbset_drop=CAP_SYS_RAWIO,CAP_NET_RAW I'm thinking that this option would drop the listed capabilities from the bounding set, as well as init's permitted, effective and inherited masks. I'd probably want to eventually also provide a way to set the securebits (they seem to operate in the same way?), though for now I'd...
2014 Feb 27
0
Re: [libvirt] LXC, user namespaces and systemd
...----- 1 100000 100999 1679 18. Feb 13:56 etc/ssh/ssh_host_rsa_key and as before from the inside >> some tools may not work, because of the missing file capabilities. >> chown removes all file capabilities! try ping as user inside the >> container. (missing file cap cap_net_admin,cap_net_raw) > > # getcap /usr/bin/ping > # ping localhost > PING localhost (127.0.0.1) 56(84) bytes of data. > 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms > 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.066 ms > ^C > --- localhost ping statistic...
2016 Feb 24
4
IPtables block user from outbound ICMP
Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP But this still allows ICMP for some reason (but *does* block other TCP/UDP packets, which is what we want, as well
2016 Jul 22
2
Call for testing: OpenSSH 7.3
On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vinschen at redhat.com> wrote: [...] > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway, > what about getting rid of the configure stuff entirely? > > Tested counterproposal: Looks reasonable. It's late here so I'm going to look at it tomorrow. > As for the comment preceeding the definition,
2014 Feb 26
6
[libvirt] LXC, user namespaces and systemd
Hi! I with my colleagues from Samsung trying to run systemd in Linux container. I saw that the others are experimenting in this topic, so I would like to present the results of my work and tests, perhaps it will be helpful to others. As the prototype I used a manual written by Daniel: https://www.berrange.com/posts/2013/08/12/running-a-full-fedora-os-inside-a-libvirt-lxc-guest/ After many
2011 Aug 03
1
[PATCH v2] kinit: Add drop_capabilities support.
...AP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADMIN), + MAKE_CAP(CAP_NET_RAW), + MAKE_CAP(CAP_IPC_LOCK), + MAKE_CAP(CAP_IPC_OWNER), + MAKE_CAP(CAP_SYS_MODULE), + MAKE_CAP(CAP_SYS_RAWIO), + MAKE_CAP(CAP_SYS_CHROOT), + MAKE_CAP(CAP_SYS_PTRACE), + MAKE_CAP(CAP_SYS_PACCT), + MAKE_CAP(CAP_SYS_ADMIN), + MAKE_CAP(CAP_SYS_BOOT), + MAKE_CAP(CAP_SYS_NICE), + MAKE_CAP(CAP_SYS_RESOURCE...
2010 Dec 10
1
TeleVantage Client 8
...the LAN workgroup and has windows clients today (something I had hoped to change) Client installed through shared folder TeleVantage/netsetup/client.exe winetricks mdac28 (ADODB.Connection.2.8 {00000514-0000-0010-8000-00AA006D2EA4}) sudo apt-get install libcap2-bin (installs setcap) sudo setcap cap_net_raw+epi /usr/bin/wine-preloader When I enter the IP of the server and user info at Log On, I get the message "Could not connect to the server on <IP>. Server components are not installed." When SERVERNAME is used I get "Could not connect to the database on <SERVERNAME>. Plea...
2011 Jul 19
4
[PATCH v1 0/2] Support dropping of capabilities from early userspace.
This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by
2012 Mar 26
7
Lite Manager
Hi there, I'm trying to run Lite Manager on Ubuntu 11.10 using Wine 1.3, but all I get is a "program encountered a serious problem" screen. Any chance that someone could help me with this? :/