netdev
[Top] [All Lists]

Re: [Linux Diffserv] Need to be root to setsockopt() for EF?

To: Craig Rodrigues <rodrigc@xxxxxxxxxxxx>
Subject: Re: [Linux Diffserv] Need to be root to setsockopt() for EF?
From: jamal <hadi@xxxxxxxxxx>
Date: Fri, 12 Oct 2001 08:09:52 -0400 (EDT)
Cc: <netdev@xxxxxxxxxxx>
In-reply-to: <20011010131016.A14465@mediaone.net>
Sender: owner-netdev@xxxxxxxxxxx

On Wed, 10 Oct 2001, Craig Rodrigues wrote:

> On Sun, Oct 07, 2001 at 11:49:35PM +0400, Alexey Kuznetsov wrote:
> > Hello!
> >
> > > A part of DSCP field was previously Precedence.
> > >
> > > Linux has required that in order to use 'Critical' or higher Precedence,
> > > one must have CAP_NET_ADMIN capability, in most cases, root.
> > >
> > > I'm not one to say whether this restriction should be removed.  Perhaps.
> >
> > Not removed, but made _stronger_.
> >
> > Essentially, allowing user to set an arbitrary DSCP is an evidence of 
> > security
> > hole and subject of CAP_NET_RAW or ADMIN. Actually, one of considered
> > variants was to allow to set by default only three values: 0 and those
> > which used to correspong low-delay and high-throghput.
>
> Hi,
>
> This is very interesting information, since I am trying to develop
> an application which uses Diffserv, but works on multiple
> operating systems.

In the case of diffserv, the DSCP setting is done by the router.
Using Linux as a router allows you to do this.
Settings even by root are not very valuable since in the network they will
be overriden.

> Can you point me to a document which explains what these
> CAP_NET_ADMIN is, and how it is related to setting DSCP values?
>

Think about it: if actually the network cared about dscp value, as set by
joe_l00s3r, we would have chaos. Everyone would be trying to get the
highest qos at the expense of the rest of the world.

Hope this helps

cheers,
jamal

> If there is no formal document, can you direct me to a section
> of the Linux kernel which I can grep to see how this works?
>
> I'm a newbie to Linux kernel networking internals, so some
> guidance would be appreciated. :)
>
>
> --
> Craig Rodrigues
> http://www.gis.net/~craigr
> rodrigc@xxxxxxxxxxxx
>


<Prev in Thread] Current Thread [Next in Thread>