I have code that calls functions that require CAP_NET_ADMIN capabilities. If I build my code and run the binary as-is, I get a "RTNETLINK answers: Operation not permitted" error. If I sudo run it, then it runs without the error. Can I change the namespace so that my binary has the appropriate capability to run? If so, how?
Asked
Active
Viewed 322 times
1
-
C has [3 + n (inside struct and unions) name spaces](http://port70.net/~nsz/c/c11/n1570.html#6.2.3). – pmg Jul 10 '17 at 10:09
-
@pmg Yeah, term "namespace" in a question about C is confusing. According to the associated tags, I believe the OP is about [Linux namespaces](https://en.wikipedia.org/wiki/Linux_namespaces). – Scheff's Cat Jul 10 '17 at 10:49
-
Why not use the filesystem capabilities instead? Run `sudo chgrp somegroup yourbinary` to change the group of `yourbinary` to the group of users who are allowed to execute it (with CAP_NET_ADMIN capabilities), then `sudo chmod u=rwx,g=rx,o= yourbinary` to only allow execution by the owner user and the group, and finally `sudo setcap 'cap_net_admin=pe' yourbinary` to assign the (permitted and effective) CAP_NET_ADMIN capability to `yourbinary`. Any user in somegroup group can then run `yourbinary` with CAP_NET_ADMIN effective capability. – Nominal Animal Jul 10 '17 at 10:56
-
Is there any way to obtain the capability without root access? – user1118764 Jul 10 '17 at 12:54