Reputation: 527
CAP_NET_ADMIN equivalent for *BSD
I'm contributing to a routing daemon, and investigating security measures. The daemon, when running, talks to the kernel and installs routes. On Linux, as a good practice, if the daemon is launched as root (and properly configured) it will quickly drop privileges and switch to an unprivileged user/group, but retain the CAP_NET_ADMIN capability.
I'm looking for a similar mechanism to use on popular BSDs (FreeBSD, OpenBSD, macOS).
It seems that Mandatory Access Control at least on FreeBSD could be the way to go; but I'm not sure. I'd appreciate pointers to code or documentation.
Thanks!
Upvotes: 0
Views: 386
Answers (1)
Reputation: 2792
In NetBSD (by default), and I believe also in OpenBSD, the process making a request via the routing socket to either add or delete a route from the routing table(s) (or indeed to anything but get a route) must have an effective user-ID of zero (i.e. be "root"). I.e. the process cannot drop privileges after opening the routing socket and still modify the routing table(s) -- the privileges are checked at the time the routing request message is processed, not at the time the routing socket is first opened.
In NetBSD it would be possible to install a new security model in the kernel which could change this rule, but I don't know of one designed to do this specifically for routing tables. (OpenBSD does not use the NetBSD kauth subsystem.)
Upvotes: 1
Related Questions
- Running nobody (or dynamic user) with CAP_NET_RAW in systemd
- How to use CAP_SYS_ADMIN
- Read routing table from user space
- How to add Linux capability for CAP_IPC_OWNER in limits.conf?
- How to enable routing in OS X El Capitan
- Modifying Linux kernel routing table programmatically
- any api in c to alter route table in linux
- Reading the route table on FreeBSD
- Add/remove routes in Linux from kernel space
- Utility for parsing /proc/net/route