[PATCH] traceroute: delete the verification of root user

[Nadav Tasher]

On Sat, Mar 01, 2025 at 12:11:57PM -0300, Henrique de Moraes Holschuh wrote:
> On 01/03/2025 09:38, tito wrote:
> > couldn't you check if the capability is available?
> 
> Why?  It is just as problematic as the euid() == 0 test.  One could be
> root without CAP_NET_RAW.  One could be non-root with CAP_NET_RAW.  One
> could be constrained by any other kernel-side policy...
> 
> Instead, I recommend that you don't assume you cannot (or can) send packets.
> 
> Try to open (and if you want/need to, connect()) the socket, and if that
> succeeds, try to send the packets.  Should you get EPERM or EACCES back
> on any of those syscalls, you report that you don't have permission to
> send RAW packets.
> 
> Maybe you will also need to cover more errors than just EPERM and
> EACCES, but the idea that "don't assume you cannot do it, try and report
> errors instead" still holds.
> 
> You could differentiate socket() and connect() as "cannot create raw
> socket", and send()/sendto()/write() as "cannot send raw packets", for
> better user experience.
> 
> Please remember to handle EPERM results as "permission denied": Linux
> can return EPERM for send()/sendto() due to local firewall rules in many
> cases.  socket() may return EPERM in several operating systems (maybe
> also Linux), etc.
> 
> 
> Suggestions:
> 
> (for EACESS, EPERM on socket(), connect()):
> "cannot open raw socket: permission denied.  You might need root or
> CAP_NET_RAW for this to work".
> 
> and
> 
> (for EPERM, EACCES on sendto()/send()/write()):
> "cannot send packet: permission denied.  You might need root or
> CAP_NET_RAW for this to work.  Also check local firewall rules"
> 
> 
> -- 
> Henrique de Moraes Holschuh
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> https://lists.busybox.net/mailman/listinfo/busybox
I agree with Henrique and Tito.

The kernel should check permissions, as it determines whether the call
will succeed.

Nadav