[PATCH] traceroute: delete the verification of root user

范星宇 isfanxy at 126.com
Sun Mar 2 15:37:09 UTC 2025 

Thanks for your reply!


I have done a test as a non-root user to perform traceroute -s:
1. Busybox process without CAP_NET_RAW will fail in opening a new socket(xsocket, libbb/xfuncs_printf.c, EPERM).
2. Busybox process with CAP_NET_RAW will succeed in opening a new socket and fail in the root check.

It seems "traceroute -s" is available just for root user.
I mean, is it possible for kernel to decide whether traceroute succeeds, instead of busybox's specific judgment?

Could you give any advice about the necessity of getuid() == 0 when using "traceroute -s"? The capability of busybox process isn't secure enough to avoid the root check?






---- Replied Message ----
| From | Henrique de Moraes Holschuh<henrique at nic.br> |
| Date | 3/1/2025 23:20 |
| To | <busybox at busybox.net> |
| Subject | Re: [PATCH] traceroute: delete the verification of root user |
On 01/03/2025 09:38, tito wrote:
couldn't you check if the capability is available?

Why?  It is just as problematic as the euid() == 0 test.  One could be
root without CAP_NET_RAW.  One could be non-root with CAP_NET_RAW.  One
could be constrained by any other kernel-side policy...

Instead, I recommend that you don't assume you cannot (or can) send packets.

Try to open (and if you want/need to, connect()) the socket, and if that
succeeds, try to send the packets.  Should you get EPERM or EACCES back
on any of those syscalls, you report that you don't have permission to
send RAW packets.

Maybe you will also need to cover more errors than just EPERM and
EACCES, but the idea that "don't assume you cannot do it, try and report
errors instead" still holds.

You could differentiate socket() and connect() as "cannot create raw
socket", and send()/sendto()/write() as "cannot send raw packets", for
better user experience.

Please remember to handle EPERM results as "permission denied": Linux
can return EPERM for send()/sendto() due to local firewall rules in many
cases.  socket() may return EPERM in several operating systems (maybe
also Linux), etc.


Suggestions:

(for EACESS, EPERM on socket(), connect()):
"cannot open raw socket: permission denied.  You might need root or
CAP_NET_RAW for this to work".

and

(for EPERM, EACCES on sendto()/send()/write()):
"cannot send packet: permission denied.  You might need root or
CAP_NET_RAW for this to work.  Also check local firewall rules"


--
Henrique de Moraes Holschuh
_______________________________________________
busybox mailing list
busybox at busybox.net
https://lists.busybox.net/mailman/listinfo/busybox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250302/0bc7b5af/attachment.htm>

More information about the busybox mailing list