From 03c8908ec6429a67c3a8f480f1002788ff155bfb Mon Sep 17 00:00:00 2001 From: Olivier Gayot Date: Wed, 20 Jun 2018 18:09:41 +0200 Subject: [PATCH] Stop requiring CAP_NET_ADMIN Since the following commit in the Linux kernel tree 0fdc100bdc4b ethtool: allow non-netadmin to query settings it is no longer necessary to have the CAP_NET_ADMIN capability to query a device speed using ioctl(..., SIOCETHTOOL) in conjonction with the ETHTOOL_GSET ethtool command. The mentioned commit landed first in the 2.6.37 version of the Kernel. This version is no longer maintained nowdays. Since it is not necessary anymore, it is strongly prefered from a security standpoint to drop the CAP_NET_ADMIN capability from the binary. Signed-off-by: Olivier Gayot --- Makefile | 2 -- README.md | 3 +-- i3status.conf | 1 - man/i3status.man | 4 +--- src/print_eth_info.c | 1 - 5 files changed, 2 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 5ec5871..c5427b9 100644 --- a/Makefile +++ b/Makefile @@ -116,8 +116,6 @@ install: install -m 755 -d $(DESTDIR)$(SYSCONFDIR) install -m 755 -d $(DESTDIR)$(MANPREFIX)/share/man/man1 install -m 755 i3status $(DESTDIR)$(PREFIX)/bin/i3status - # Allow network configuration for getting the link speed - (which setcap && setcap cap_net_admin=ep $(DESTDIR)$(PREFIX)/bin/i3status) || true install -m 644 i3status.conf $(DESTDIR)$(SYSCONFDIR)/i3status.conf install -m 644 man/i3status.1 $(DESTDIR)$(MANPREFIX)/share/man/man1 diff --git a/README.md b/README.md index 75704ea..084f373 100644 --- a/README.md +++ b/README.md @@ -16,13 +16,12 @@ i3status has the following dependencies: * libyajl-dev * libasound2-dev * libnl-genl-3-dev - * libcap2-bin (for getting network status without root permissions) * asciidoc (only for the documentation) * libpulse-dev (for getting the current volume using PulseAudio) On debian-based systems, the following line will install all requirements: ```bash -apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libcap2-bin libpulse-dev libnl-genl-3-dev +apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libpulse-dev libnl-genl-3-dev ``` ## Upstream diff --git a/i3status.conf b/i3status.conf index 07ffb74..6ac43cb 100644 --- a/i3status.conf +++ b/i3status.conf @@ -26,7 +26,6 @@ wireless _first_ { } ethernet _first_ { - # if you use %speed, i3status requires root privileges format_up = "E: %ip (%speed)" format_down = "E: down" } diff --git a/man/i3status.man b/man/i3status.man index 31f25ad..fecd079 100644 --- a/man/i3status.man +++ b/man/i3status.man @@ -66,7 +66,6 @@ wireless wlan0 { } ethernet eth0 { - # if you use %speed, i3status requires the cap_net_admin capability format_up = "E: %ip (%speed)" format_down = "E: down" } @@ -315,8 +314,7 @@ network interface found on the system (excluding devices starting with "lo"). Gets the IP address and (if possible) the link speed of the given ethernet interface. If no IPv4 address is available and an IPv6 address is, it will be -displayed. Getting the link speed requires the cap_net_admin capability. -Set it using +setcap cap_net_admin=ep $(which i3status)+. +displayed. The special interface name `_first_` will be replaced by the first non-wireless network interface found on the system (excluding devices starting with "lo"). diff --git a/src/print_eth_info.c b/src/print_eth_info.c index b30d2b0..996ce3b 100644 --- a/src/print_eth_info.c +++ b/src/print_eth_info.c @@ -33,7 +33,6 @@ static int print_eth_speed(char *outwalk, const char *interface) { #if defined(LINUX) - /* This code path requires root privileges */ int ethspeed = 0; struct ifreq ifr; struct ethtool_cmd ecmd;