Stop requiring CAP_NET_ADMIN

Since the following commit in the Linux kernel tree

  0fdc100bdc4b ethtool: allow non-netadmin to query settings

it is no longer necessary to have the CAP_NET_ADMIN capability to query
a device speed using ioctl(..., SIOCETHTOOL) in conjonction with the
ETHTOOL_GSET ethtool command.

The mentioned commit landed first in the 2.6.37 version of the Kernel.
This version is no longer maintained nowdays.

Since it is not necessary anymore, it is strongly prefered from a
security standpoint to drop the CAP_NET_ADMIN capability from the
binary.

Signed-off-by: Olivier Gayot <olivier.gayot@sigexec.com>
This commit is contained in:
Olivier Gayot 2018-06-20 18:09:41 +02:00
parent 4d3344ab9c
commit 03c8908ec6
5 changed files with 2 additions and 9 deletions

View File

@ -116,8 +116,6 @@ install:
install -m 755 -d $(DESTDIR)$(SYSCONFDIR) install -m 755 -d $(DESTDIR)$(SYSCONFDIR)
install -m 755 -d $(DESTDIR)$(MANPREFIX)/share/man/man1 install -m 755 -d $(DESTDIR)$(MANPREFIX)/share/man/man1
install -m 755 i3status $(DESTDIR)$(PREFIX)/bin/i3status install -m 755 i3status $(DESTDIR)$(PREFIX)/bin/i3status
# Allow network configuration for getting the link speed
(which setcap && setcap cap_net_admin=ep $(DESTDIR)$(PREFIX)/bin/i3status) || true
install -m 644 i3status.conf $(DESTDIR)$(SYSCONFDIR)/i3status.conf install -m 644 i3status.conf $(DESTDIR)$(SYSCONFDIR)/i3status.conf
install -m 644 man/i3status.1 $(DESTDIR)$(MANPREFIX)/share/man/man1 install -m 644 man/i3status.1 $(DESTDIR)$(MANPREFIX)/share/man/man1

View File

@ -16,13 +16,12 @@ i3status has the following dependencies:
* libyajl-dev * libyajl-dev
* libasound2-dev * libasound2-dev
* libnl-genl-3-dev * libnl-genl-3-dev
* libcap2-bin (for getting network status without root permissions)
* asciidoc (only for the documentation) * asciidoc (only for the documentation)
* libpulse-dev (for getting the current volume using PulseAudio) * libpulse-dev (for getting the current volume using PulseAudio)
On debian-based systems, the following line will install all requirements: On debian-based systems, the following line will install all requirements:
```bash ```bash
apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libcap2-bin libpulse-dev libnl-genl-3-dev apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libpulse-dev libnl-genl-3-dev
``` ```
## Upstream ## Upstream

View File

@ -26,7 +26,6 @@ wireless _first_ {
} }
ethernet _first_ { ethernet _first_ {
# if you use %speed, i3status requires root privileges
format_up = "E: %ip (%speed)" format_up = "E: %ip (%speed)"
format_down = "E: down" format_down = "E: down"
} }

View File

@ -66,7 +66,6 @@ wireless wlan0 {
} }
ethernet eth0 { ethernet eth0 {
# if you use %speed, i3status requires the cap_net_admin capability
format_up = "E: %ip (%speed)" format_up = "E: %ip (%speed)"
format_down = "E: down" format_down = "E: down"
} }
@ -315,8 +314,7 @@ network interface found on the system (excluding devices starting with "lo").
Gets the IP address and (if possible) the link speed of the given ethernet Gets the IP address and (if possible) the link speed of the given ethernet
interface. If no IPv4 address is available and an IPv6 address is, it will be interface. If no IPv4 address is available and an IPv6 address is, it will be
displayed. Getting the link speed requires the cap_net_admin capability. displayed.
Set it using +setcap cap_net_admin=ep $(which i3status)+.
The special interface name `_first_` will be replaced by the first non-wireless The special interface name `_first_` will be replaced by the first non-wireless
network interface found on the system (excluding devices starting with "lo"). network interface found on the system (excluding devices starting with "lo").

View File

@ -33,7 +33,6 @@
static int print_eth_speed(char *outwalk, const char *interface) { static int print_eth_speed(char *outwalk, const char *interface) {
#if defined(LINUX) #if defined(LINUX)
/* This code path requires root privileges */
int ethspeed = 0; int ethspeed = 0;
struct ifreq ifr; struct ifreq ifr;
struct ethtool_cmd ecmd; struct ethtool_cmd ecmd;