A program that I am developing uses raw sockets. For security reasons to run a program that uses raw sockets, the program has to be run under a user with effective ID 0 (root?) or have the capability: CAP_NET_RAW set.
So after the build I set the capability with:
sudo setcap cap_net_raw+ep <executable>
The file in the terminal changes to a red background with black text, and I’m not sure what that means. It still has all of the other file attributes of other programs when running
ls -l so I am not sure what exactly has changes for it. I have verified that the capability is set with
The problem is after running
setcap. The loader fails to load other shared objects with the error message “can’t find the file.” Without
setcap the program works and loads all required shared objects (when run as root) but I would prefer to not do this. The shared object path is set in the
LD_LIBRARY_PATH environment variable.
Any hints or tips as to what has changed with the executable to cause the loader to fail to load other shared objects? Could it be because other shared objects it links doesn’t have this capability?
Thanks for any help.
At least for setuid programs, environment variables like
LD_PRELOAD are ignored for security reasons. See the man page
ld.so(8) for details.
I could imagine it’s the same or at least similar for programs with capabilities set. (Neither the man page
capabilities(7) nor the man page
ld.so(8) mention such restrictions, though.)