Problem:

when using function socket(AF_INET,SOCK_RAW,IPPROTO_TCP...) with setuid&chroot-ed fake root on Linux servers, it would always fail. However, the real root can work well. Usually the fake root can do most things that root login required.

After investigation, got following hints:

  • According to man page of SOCK_RAW(7), "Only processes with an effective user ID of 0 or the CAP_NET_RAW capability are allowed to open raw sockets".
  • According to capabilities(7) - Linux man page, "For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list)".

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

CAP_NET_RAW

Use RAW and PACKET sockets.

  • In raw socket access as normal user on linux 2.4, setuid is suggested, but it didn’t work.

Since we can't provide root login to all users, we must either find a way to let raw sockets work with setuid&chroot-ed login, or substitute raw sockets with other options.