FS#30000 - [conntrack-tools] allow no root users execute conntrack-tools
Attached to Project:
Community Packages
Opened by Ivan Lyapunov (dront78) - Thursday, 24 May 2012, 11:07 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 24 June 2012, 13:53 GMT
Opened by Ivan Lyapunov (dront78) - Thursday, 24 May 2012, 11:07 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 24 June 2012, 13:53 GMT
|
Details
Description:
with currently installed conntrack-tool I should only use a sudo to get something like conntrack -L -p tcp --dport=80 without sudo I got conntrack v1.0.1 (conntrack-tools): Operation failed: sorry, you must be root or get CAP_NET_ADMIN capability to do this however I can use wireshark since I'm in wireshark group and also in 100(users), 10(wheel) and 90(network) groups and getcap /usr/bin/dumpcap says /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip but nothing in conntrack so since it's a "Userspace tools to interact with the Netfilter connection tracking system" it would be great to allow users with limited (wheel group?) privileges to use a conntrack tools without root requirements |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Sunday, 24 June 2012, 13:53 GMT
Reason for closing: Won't implement
Sunday, 24 June 2012, 13:53 GMT
Reason for closing: Won't implement
Don't be lazy :)
However it's my choice I provide as a feature request, not a lazyness ;)
Following https://wiki.archlinux.org/index.php/Group, it make sense to allow users of group network to use conntrack-tools without full admin cap.
However, to be consistent, there are a lot of network programs that might be affected by this wish: iptables, ebtables, arptables, ferm, ipvsadm, iptstate, vlan...
For most of them it's not easy to know which caps are needed and it's a big work which should be discussed with others dev/tus.
I can take some part for Arch be more enterprise, as I think it's good deal and my expirience is enough for this.
However first I need a help little bit - at least a packages list ;)