[Top] [All Lists]

Re: [Linux Diffserv] Need to be root to setsockopt() for EF?

To: netdev@xxxxxxxxxxx
Subject: Re: [Linux Diffserv] Need to be root to setsockopt() for EF?
From: Craig Rodrigues <rodrigc@xxxxxxxxxxxx>
Date: Wed, 10 Oct 2001 13:10:16 -0400
In-reply-to: <200110071949.XAA00770@xxxxxxxxxxxxxx>; from kuznet@xxxxxxxxxxxxx on Sun, Oct 07, 2001 at 11:49:35PM +0400
References: <Pine.LNX.4.33.0110050814520.492-100000@xxxxxxxxxx> <200110071949.XAA00770@xxxxxxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx
User-agent: Mutt/1.2.5i
On Sun, Oct 07, 2001 at 11:49:35PM +0400, Alexey Kuznetsov wrote:
> Hello!
> > A part of DSCP field was previously Precedence.
> > 
> > Linux has required that in order to use 'Critical' or higher Precedence,
> > one must have CAP_NET_ADMIN capability, in most cases, root.
> > 
> > I'm not one to say whether this restriction should be removed.  Perhaps.
> Not removed, but made _stronger_.
> Essentially, allowing user to set an arbitrary DSCP is an evidence of security
> hole and subject of CAP_NET_RAW or ADMIN. Actually, one of considered
> variants was to allow to set by default only three values: 0 and those
> which used to correspong low-delay and high-throghput.


This is very interesting information, since I am trying to develop
an application which uses Diffserv, but works on multiple
operating systems.  
Can you point me to a document which explains what these
CAP_NET_ADMIN is, and how it is related to setting DSCP values?

If there is no formal document, can you direct me to a section
of the Linux kernel which I can grep to see how this works?

I'm a newbie to Linux kernel networking internals, so some
guidance would be appreciated. :)

Craig Rodrigues    

<Prev in Thread] Current Thread [Next in Thread>