Re: How to read/write raw ether packet in application?
Re: How to read/write raw ether packet in application?
- Subject: Re: How to read/write raw ether packet in application?
- From: "Duane Murphy" <email@hidden>
- Date: Wed, 23 Aug 2006 19:21:58 -0700
You are correct. Running an application as root is not appropriate.
However, running a small tool as root is recommended.
Please see MoreAuthSample
<http://developer.apple.com/samplecode/MoreAuthSample/listing6.html>
for an example of how to do this. The idea is simple and standard unix.
You create a small tool that opens the PF_NDRV socket for you. You put
this tool in your application bundle. Then when you want to open a
PF_NDRV socket you go through the following steps:
1. If the tool in ~/Library/Application Support/<my company name>/ (or /
Library/... or another Library/Application is the same or newer than the
tool in my bundle and it has the right privileges then fork/exec the
tool and pass the socket (descriptor) from the tool to the application.
2. If the tool is older or missing, then copy the tool to the
Application Support folder and launch it with privileges. Then the tool
can change itself to be setuid root. The user has to enter the admin
password once when the tool is installed.
3. The tool opens and passes the descriptor back as expected.
Most all of this procedure is done for you in the MoreAuthSample.
There is lots of security and user goodness in this procedure.
o Your application is self installing and self healing.
o The only code that runs as root opens a socket and passes the
descriptor to the parent application.
o The user only has to enter the admin password when the tool is
installed. Usually that is once.
There are many of us that use this procedure (or small variations on it)
for our applications.
...Duane
--- At Thu, 24 Aug 2006 09:59:58 +0800, Robin wrote:
>Hi Quinn,
>
> I've checked BSDLLCTest already, I think the question is PF_NDRV
>requires root privileges,
>we can not ask common users to run applications with root account as
>usual. We need another
>way to slove it.
>
> Maybe we can open the socket in the kernel space, such as in a
>socker filter, and acces the filter
>in the user space, we can avoid the privileges problem.
>
> How about your ideas?
> Thanks.
>
>Regards,
>Robin
>
>>
>>If by this, you mean "raw ethernet packets with a new type", then you
>>can do this in a couple of ways: BPF or raw ethernet (PF_NDRV).
>>FWIW, the system does not take kindly to you siphoning off TCP
>>packets. I suspect that isn't what you want to do, however.
>>
>>The BPF approach is probably simplest and most portable, and there
>>are several applications in the darwin source tree that show how it's
>>done (see the bootp project, for example).
>>
>>I don't know what shape the PF_NDRV code is in now. This is a
>>"protocol" handler that is a kext, and so requires kernel
>>programming. The SharedIP kext uses this to get ethernet packets to
>>and from the Classic Mac OS environment.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden