?
Solved

Can I use libpcap without root privileges?

Posted on 2009-02-19
5
Medium Priority
?
2,933 Views
Last Modified: 2013-12-16
We have created an application which sniffs packets from the network. It runs through Java Web Start and uses libjpcap which in turn uses libpcap. This application is being run on Ubuntu 8.10.

The challenge is, when we run the application using root privileges (such as by using sudo), then it works fine and lists the network cards also. However, when we use it as an unprivileged user, then it doesn't display network card information and thus does no sniffing as well.

Wireshark also behaves in the same manner and and it is specifically mentioned in Wireshark's documentation to sniff the packets through root only. However, it would not be possible to make all users run as root in our environment.

Is there any way we can use non-root privileges to do sniffing? Maybe through
 * suid?
 * allowing full network card access to a group?
 * any other packet capturing library which allows this? We need to use it through java only.

We did "ifconfig eth0 promisc" but it doesn't help.
0
Comment
Question by:vcustomerindia
  • 2
  • 2
5 Comments
 
LVL 29

Expert Comment

by:fosiul01
ID: 23690006
why are u not using user in sudo file list and give him access to run that command

http://linux.about.com/od/commands/l/blcmdl5_sudoers.htm

editi visudo file

add the user and allow the user for that comand with full binary path
0
 

Author Comment

by:vcustomerindia
ID: 23690062
That doesn't solve the purpose. We are calling specific libraries - libjpcap.so from /usr/lib and there's no command being executed.

What I've learnt about sudo is that through sudo you can grant privileges to particular commands. However here we're not using any particular command. Also, we're executing it through java web start and that is through Firefox. So, to enable it we use "sudo firefox" and then it works fine. But for all users it would need to be specially done which we don't want. We just want them to call a URL from whatever browser and they should be able to do it.

I tried giving suid privileges to Sun Java's javaws application but it doesn't execute with suid privileges.
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 23690385
so you saing, by putting that user in sudo file , it will not work , even to give him all right with

ALL commmand ??
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23691073
> Is there any way we can use non-root privileges to do sniffing?
Impossible, until you run it as root (possibly with sudo).

http://www.programmersheaven.com/mb/java_beginners/369515/369515/how-to-get-root-access/?S=B20000
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1235131597788+28353475&threadId=861877
--[quote]--
"having a look at J2SE SDK release notes, I found:
"Running Java with setuid or setgid
Java requires dynamic loading (SHLIB_PATH, LD_LIBRARY_PATH) which are disabled in setuid or setgid executables. Therefore Java cannot run with setuid or setgid."

=> I understand that having it working until now with the setuid bit was more an unexpected situation!!!

I have installed and configured sudo on my server as a way to replace the use of setuid.?
"
--[quote]--
0
 

Accepted Solution

by:
vcustomerindia earned 0 total points
ID: 23792708
@fosiul01:The ALL command would require the user executing the application through sudo. Our app is being executed through java web start from within a browser. So the browser would need to be executed through sudo/gksudo firefox - and this already works as I'd mentioned earlier.

As Nopius confirmed, we cannot do packet capturing without using sudo. So here's what we are contemplating to do

1. In sudo we allow access to /etc/alternatives/javaws for all users without entering a password.
2. Replace /usr/bin/javaws with a shell script which has
#!/bin/bash
gksudo "/etc/alternatives/javaws $1 $2 $3 $4 $5 $6 $7 $8 $9"

and make the script executable. So all java web start apps launching from within a browser would have the reqd privileges, thus solving our problem.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension . This reminded me of questions that come up here at EE along the lines of, "How can I tell the type of file from its cont…
Virtualization software lets you run different versions of Windows, Ubuntu Linux and other versions of Linux all at the same time, rather than running each one directly from your computer's hard drive.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question