Linux setcap and changes made to the executable

Posted on

Problem :

A program that I am developing uses raw sockets. For security reasons to run a program that uses raw sockets, the program has to be run under a user with effective ID 0 (root?) or have the capability: CAP_NET_RAW set.

So after the build I set the capability with:

sudo setcap cap_net_raw+ep <executable>

The file in the terminal changes to a red background with black text, and I’m not sure what that means. It still has all of the other file attributes of other programs when running ls -l so I am not sure what exactly has changes for it. I have verified that the capability is set with getcap

The problem is after running setcap. The loader fails to load other shared objects with the error message “can’t find the file.” Without setcap the program works and loads all required shared objects (when run as root) but I would prefer to not do this. The shared object path is set in the LD_LIBRARY_PATH environment variable.

Any hints or tips as to what has changed with the executable to cause the loader to fail to load other shared objects? Could it be because other shared objects it links doesn’t have this capability?

Thanks for any help.

Solution :

At least for setuid programs, environment variables like LD_LIBRARY_PATH or LD_PRELOAD are ignored for security reasons. See the man page ld.so(8) for details.

I could imagine it’s the same or at least similar for programs with capabilities set. (Neither the man page capabilities(7) nor the man page ld.so(8) mention such restrictions, though.)

Leave a Reply

Your email address will not be published. Required fields are marked *