[Ns-developers] How to Handle Suid Root in Ns-3
craigdo@ee.washington.edu
craigdo at ee.washington.edu
Mon Jul 21 11:07:11 PDT 2008
Hi all,
I have a situation in the emulation work I'm doing for ns-3 where at least
some of my code (devices) will need to have permission to access packet and
raw sockets in Cygwin/Unix/OSX/Linux.
The brute force and awkwardness approach is to do ns-3 development as root.
Not a good option.
A slightly less offensive approach is to setuid on the scripts that you
build which will need permissions. This has the annoying step of requiring
a setuid after each built; and leaves giant ns-3 scripts around that are
suid root.
One suggestion is to have a separate process around that can read and write
raw sockets, but this seems to be a gargantuan security hole on any system
running such a process.
I've seen a patch to Linux that allows one to separate out the socket
privileges into a separate group, which seems nice. I don't believe this is
a standard feature through. This would be nice, but it does require a
non-standard Linux, I believe and wouldn't address other platforms.
I'm not a security expert by any stretch of the imagination, so I'm asking
for suggestions or opinions, especially from security-aware types: How would
you handle the requirement for permissions on net-devices in ns-3?
Regards,
-- Craig
More information about the Ns-developers
mailing list