[Lazarus] root privileg

Michael Van Canneyt michael at freepascal.org
Wed Jun 4 21:05:24 CEST 2014 


On Wed, 4 Jun 2014, Reinier Olislagers wrote:

> On 04/06/2014 19:23, A. Fortuny wrote:
>> Le 4/06/2014 17:01, Reinier Olislagers a écrit :
>>> On 04/06/2014 16:54, Michael Van Canneyt wrote:
>>>> On Wed, 4 Jun 2014, A. Fortuny wrote:
>>>>> How to gain temporarily root privileges in a pascal program ? I
>>>>> need to 'ping' an IP address and for ping to work (Indy 10) I need
>>>>> to be root.
>>> Why do you need root to ping? You could set up sudo to allow
>> The program I intend to make will be developed as a service "pinging" on
>> a regular basis remote stations just to see if they are alive. The way
>> that Indy implements ICMP protocol means that "pinger" socket is
>> available only under root permission. The same test programs which fails
>> under normal user succeeds under root.
>> This is clearly stated in Indy FAQ. Read http://www.indyproject.org/KB/
>> for this subject and associated questions.
> I'll take your word for it that Indy states that.
>
> As I tried to indicate though, the time that you only had root and non
> root in *nix is over.
> Perhaps this
> http://linux.die.net/man/7/capabilities
> could help.
>
> I haven't kept up with this (currently only involved with Linux as a
> personal user), don't know if/how SELinux etc influence this

If you look at the page, you'll see that not all kernels have this.
None of the mechanisms on that page seem to work on my Ubuntu 10.04.

Reinier: 
It would be interesting to know what getcap `which ping` does on your system.

I dare say that it depends on the distribution (worse, the version),
in which case it's better not to rely too heavily on this.
It's also not POSIX (states so in the page you refer to), so it probably 
wouldn't work on BSD either.

The bottom line is, as far as I can make out:

ping won't work without extra capabilities.
These capabilities must be set somehow on the binary, they cannot be set from inside the program if it didn't initially have them.
Old versions require setuid root, newer versions may use setcap() to set these capabilities on the program.

Michael.

More information about the Lazarus mailing list