search

fujiapple852 / trippy

A network diagnostic tool
https://trippy.cli.rs
Apache License 2.0
3.5k stars 73 forks source link

Add support for --unprivileged mode on Linux #741

Open fujiapple852 opened 10 months ago

almereyda commented 10 months ago

It will be nice when trippy does not need to invoke sudo powers to work on Linux, in so its usability will be on par with traceroute and mtr.

c-git commented 10 months ago

That's actually already the case, the same way traceroute needs to be given permission to do what it does you can give that permission to trippy and not full admin access.

sudo setcap CAP_NET_RAW+p $(which trip)

Taken from option 3 here https://github.com/fujiapple852/trippy/#unix

So you don't need to use sudo to run it. Just to give it permission to access raw sockets.

almereyda commented 10 months ago

Thanks, yes, it didn't occur to me. Then what would be left to do in the issue at hands?

fujiapple852 commented 10 months ago

@almereyda Linux provides (at least) three mechanisms for an unprivileged (non-root) user to run a ping/traceroute.

The first way is what @c-git is referring to; where the CAP_NET_RAW capability can be set on the executable which allows that executable to open raw sockets, even if the process itself is started by a non-root user. This is the approach taken by mtr (note that mtr invokes the mtr-packet executable to do the actual tracing and so needs that capability). This is the preferred approach for running Trippy on Linux as @c-git points out. Note that Trippy is what is called a "capabilities aware" program, meaning it can use the provided capabilities to do what it needs (open the raw sockets) and then drop the capabilities at runtime so after startup it runs completely unprivileged. It's not as complicated as it sounds.

The second approach is similar and involves setting the setuid bit via chmod +s on the executable which makes the executable process run with root permissions even if it is started by a non-root user. Whilst more powerful, this is also more dangerous as the process runs with more permissions that it strictly needs and retains that permissions for the entire time the program is active.

The third approach, which is what this issues addresses, involves using some platform specific Linux APIs (as described here) in order to be able to send and receive probes for ping/traceroute without requiring any privileges. This is what the Linux native traceroute program does. Whilst this is arguably the best option, it does require lots of Linux specific code which complicates Trippy (much as the Windows platform code does, unavoidably) and so whilst I would like to add it, it needs some fairly significant changes to support cleanly. Note that MacOS also support this approach but in a way that is almost zero impact to the existing design of the code.

I hope that clears it up!

almereyda commented 10 months ago

Thank you for the thorough explanation. I do now understand better why this imposes an effort on the maintenance, because the major computation platforms all handle selectively increased privilege of process permissions differently.