Mdthbs

How can I prevent/balance waiting and turtling as a response to cooldown mechanics

Special flights

Putting class ranking in CV, but against dept guidelines

i2c bus hangs in master RPi access to MSP430G uC ~1 in 1000 accesses

Can an iPhone 7 be made to function as a NFC Tag?

White walkers, cemeteries and wights

The test team as an enemy of development? And how can this be avoided?

Did pre-Columbian Americans know the spherical shape of the Earth?

Was Kant an Intuitionist about mathematical objects?

Constant factor of an array

Does the Mueller report show a conspiracy between Russia and the Trump Campaign?

What does it mean that physics no longer uses mechanical models to describe phenomena?

Did any compiler fully use 80-bit floating point?

How were pictures turned from film to a big picture in a picture frame before digital scanning?

What are the main differences between the original Stargate SG-1 and the Final Cut edition?

If Windows 7 doesn't support WSL, then what is "Subsystem for UNIX-based Applications"?

Delete free apps from Play Store library

Relating to the President and obstruction, were Mueller's conclusions preordained?

Monty Hall Problem-Probability Paradox

How to write capital alpha?

Why is it faster to reheat something than it is to cook it?

Central Vacuuming: Is it worth it, and how does it compare to normal vacuuming?

Why not use the yoke to control yaw, as well as pitch and roll?

Why not send Voyager 3 and 4 following up the paths taken by Voyager 1 and 2 to re-transmit signals of later as they fly away from Earth?

Can I add iptables rule from the inside of a C Linux program only with capabilities or do I need necessarily root?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

5

I need to add an iptables rule from the inside of a C Linux program.

How should I do? Do I need root privilege or can I just grant some capabilities?

I tried granting CAP_NET_RAW+iep and using popen(), system() and execve() to set iptables but it doesn't work.

It obviously works when I sudo but I would like not to grant root privilege.

Thank you.

linux iptables root c capabilities

share|improve this question

edited Oct 5 '15 at 19:13

the structure

asked Oct 5 '15 at 18:24

the structurethe structure

475

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Looking at this (specifically 4.6.3 underneath "set") it seems to imply NET_ADMIN is the capability responsible for that. What happens when you give that capability to the iptables executable (/sbin/iptables-multi-1.4.7 on my system) and try to run it as non-root?
  
  – Bratchley
  Oct 5 '15 at 19:13
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But for the "can I just grant some capabilities" the answer is almost always "yes" for things like that. Unless you need it to be the "root" user for specifically for some reason, it's usually just a matter of figuring out what capability root has that your regular users don't in regards to the operation.
  
  – Bratchley
  Oct 5 '15 at 19:16
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
  
  – the structure
  Oct 5 '15 at 19:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm afraid it's something about inheritance since I'm not calling iptables directly.
  
  – the structure
  Oct 5 '15 at 19:29
  

  
  
  
  

add a comment | 

5

I need to add an iptables rule from the inside of a C Linux program.

How should I do? Do I need root privilege or can I just grant some capabilities?

I tried granting CAP_NET_RAW+iep and using popen(), system() and execve() to set iptables but it doesn't work.

It obviously works when I sudo but I would like not to grant root privilege.

Thank you.

linux iptables root c capabilities

share|improve this question

edited Oct 5 '15 at 19:13

the structure

asked Oct 5 '15 at 18:24

the structurethe structure

475

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Looking at this (specifically 4.6.3 underneath "set") it seems to imply NET_ADMIN is the capability responsible for that. What happens when you give that capability to the iptables executable (/sbin/iptables-multi-1.4.7 on my system) and try to run it as non-root?
  
  – Bratchley
  Oct 5 '15 at 19:13
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But for the "can I just grant some capabilities" the answer is almost always "yes" for things like that. Unless you need it to be the "root" user for specifically for some reason, it's usually just a matter of figuring out what capability root has that your regular users don't in regards to the operation.
  
  – Bratchley
  Oct 5 '15 at 19:16
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)
  
  – the structure
  Oct 5 '15 at 19:19
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm afraid it's something about inheritance since I'm not calling iptables directly.
  
  – the structure
  Oct 5 '15 at 19:29
  

  
  
  
  

add a comment | 

I need to add an iptables rule from the inside of a C Linux program.

How should I do? Do I need root privilege or can I just grant some capabilities?

I tried granting CAP_NET_RAW+iep and using popen(), system() and execve() to set iptables but it doesn't work.

It obviously works when I sudo but I would like not to grant root privilege.

Thank you.

linux iptables root c capabilities

share|improve this question

edited Oct 5 '15 at 19:13

the structure

asked Oct 5 '15 at 18:24

the structurethe structure

475

share|improve this question

edited Oct 5 '15 at 19:13

the structure

asked Oct 5 '15 at 18:24

the structurethe structure

475

share|improve this question

edited Oct 5 '15 at 19:13

the structure

asked Oct 5 '15 at 18:24

the structurethe structure

475

asked Oct 5 '15 at 18:24

the structurethe structure

475

asked Oct 5 '15 at 18:24

the structurethe structure

475

1 Answer
1

active

oldest

votes

0

Maybe your answer is here, in this link
https://superuser.com/questions/1041621/how-to-enable-user-to-change-iptables-rules

You can limit which commands user can run via sudo. if you don't know how to config your sudoers file use this link:

https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

share|improve this answer

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f234079%2fcan-i-add-iptables-rule-from-the-inside-of-a-c-linux-program-only-with-capabilit%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Maybe your answer is here, in this link
https://superuser.com/questions/1041621/how-to-enable-user-to-change-iptables-rules

You can limit which commands user can run via sudo. if you don't know how to config your sudoers file use this link:

https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

share|improve this answer

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

Maybe your answer is here, in this link
https://superuser.com/questions/1041621/how-to-enable-user-to-change-iptables-rules

You can limit which commands user can run via sudo. if you don't know how to config your sudoers file use this link:

https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

share|improve this answer

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Maybe your answer is here, in this link
https://superuser.com/questions/1041621/how-to-enable-user-to-change-iptables-rules

You can limit which commands user can run via sudo. if you don't know how to config your sudoers file use this link:

https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

share|improve this answer

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1

New contributor

Rasool Ziafaty is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 33 mins ago

Rasool ZiafatyRasool Ziafaty

1