3

I want to set the CAP_NET_ADMIN capability for a certain subprocess in my python application. I tried a lot to do so, but I didn't succeed as no example is available, that makes it understandable for me.

What I did was that I installed python-prctl(1.6.1) and prctl(1.0.1) as suggested using pip and implemented prctl.capbset.drop("setgid", prctl.CAP_NET_ADMIN) into my application, right before creating the subprocess. However, it seems that even capbset can't be recognized.

In the subprocess I want to sniff the network using scapy.

Praveen
  • 6,872
  • 3
  • 43
  • 62
Martin
  • 594
  • 1
  • 8
  • 32

1 Answers1

1

What you tried to do is dropping the CAP_NET_ADMIN from capability bounding set, this is not the way to achieve what you have specified.

Instead, you should set the inheritable capabilities in the parent process and in the subprocess raise them to the effective set, to understand what each capability set does see capabilities(7). Here you have an example on how to use python-prctl (different scenario but should give you a generic overview).

You may also consider using ambient capabilities as described here.

tomix86
  • 1,336
  • 2
  • 18
  • 29