Using setcap on /usr/bin/python2.7 does not provide subtask with rights

Question

I(We) am(are) using python to create packets and capture reply to test a network-device. To give python capabilities I have used:

sudo setcap cap_net_admin,cap_net_raw+eip /usr/bin/python2.7

When I check the capabilities the settings look ok:

getcap /usr/bin/python2.7
/usr/bin/python2.7 = cap_net_admin,cap_net_raw+eip

If I run my script I get the following error:

dumpcap: The capture session could not be initiated on interface 'eth2' (You don't have permission to capture on that device).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

If I give dumpcap the capabilities directly via:

sudo setcap cap_net_admin,cap_net_raw=eip /usr/bin/dumpcap

This makes the script run, but it doesn't solve my problem of python not being able to use cap_net_admin.

Is there any way to check if my running python process even receives the right capabilities? Or why python2.7 doesnt seem to inherit the capabilities on my system?

To be sure the right file/process is called, I used /usr/bin/python2.7 as the executable to call. The same python code works with other people in my company. I am running an Ubuntu 16.04. Greetings

Answer 1

As pointed out by @Petesh, your script likely invokes subprocesses, what involves calling exec() and the capabilities are not raised in the subprocess' effective set. You can work around this by leveraging ambient capabilities, these are available for kernel 4.3+ - i.e. Ubuntu 16.04 is sufficient. Putting it simple, ambient capabilities are preserved across exec(), hence passed to subprocesses. To launch a process with ambient capabilities you can use the following utility: https://gist.github.com/tomix86/32394a43be70c337cbf1e0c0a56cbd8d

To inspect capability sets of a given process you can use

grep Cap /proc/[pid]/status

where CapEff is the effective capability set, to decode these hexadecimal strings you can use capsh