Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#30000 - [conntrack-tools] allow no root users execute conntrack-tools

Attached to Project: Community Packages
Opened by Ivan Lyapunov (dront78) - Thursday, 24 May 2012, 11:07 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 24 June 2012, 13:53 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


with currently installed conntrack-tool I should only use a sudo to get something like
conntrack -L -p tcp --dport=80

without sudo I got
conntrack v1.0.1 (conntrack-tools): Operation failed: sorry, you must be root or get CAP_NET_ADMIN capability to do this

however I can use wireshark since I'm in wireshark group and also in 100(users), 10(wheel) and 90(network) groups
getcap /usr/bin/dumpcap says
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
but nothing in conntrack

so since it's a
"Userspace tools to interact with the Netfilter connection tracking system"
it would be great to allow users with limited (wheel group?) privileges to use a conntrack tools without root requirements
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Sunday, 24 June 2012, 13:53 GMT
Reason for closing:  Won't implement
Comment by Jason William Walton (jasonww) - Thursday, 24 May 2012, 18:10 GMT
Do it yourself - Wireshark is different for security reasons, not convenience. (Exact setup also recommended by upstream.)

Don't be lazy :)
Comment by Ivan Lyapunov (dront78) - Thursday, 24 May 2012, 19:17 GMT
Convenience costs money in a world. It's not a problem to type a "sudo", but it's good to do a job without a root console open for everyone.
However it's my choice I provide as a feature request, not a lazyness ;)
Comment by Sébastien Luttringer (seblu) - Friday, 25 May 2012, 12:44 GMT
dumpcap have a dedicated group (wireshark) where admin must add users allowed to sniff network traffic. Is fully in the philosophy of capabilities.

Following, it make sense to allow users of group network to use conntrack-tools without full admin cap.

However, to be consistent, there are a lot of network programs that might be affected by this wish: iptables, ebtables, arptables, ferm, ipvsadm, iptstate, vlan...
For most of them it's not easy to know which caps are needed and it's a big work which should be discussed with others dev/tus.
Comment by Ivan Lyapunov (dront78) - Friday, 25 May 2012, 16:11 GMT
> it's a big work which should be discussed with others dev/tus.
I can take some part for Arch be more enterprise, as I think it's good deal and my expirience is enough for this.
However first I need a help little bit - at least a packages list ;)