Monthly Archives: October 2011

Eclipse – CDK – build – run as super user

If you develop your native C/C++ application with Eclipse CDK and the need to execute the newly build  application with permissions to access raw socket API, such as a tun-interface, I suggest to use Linux-capabilities. (Executing the newly build application as root/super user, can become very complex.)  The Linux-capabilities allow you to execute you app with regular user permissions, but being capable to access certain privileged interfaces of Linux.

I assume that your build environment builds the binary /home/myuser/workspace/proj/bin/myapp

## invoke command in terminal with root permissions
sudo setcap cap_net_admin,cap_net_raw=eip /home/myuser/workspace/proj/bin/myapp

Next you have got to add the following lines to /etc/security/capability.conf to grant these privileges to the developer/user myuser.

## add to file /etc/security/capability.conf
cap_net_admin myuser
cap_net_raw   myuser

If your application needs read/write access to raw network devices such as  /dev/net/tun, grant these privileges by adding the following line to the file /etc/udev/rules.d/50-udev.rules (assuming myuser is member of group admin)

## file /etc/udev/rules.d/50-udev.rules
KERNEL==”tun”,     NAME=”net/%k”,     GROUP=”users”, MODE=”0660″, OPTIONS+=”ignore_remove”

These take effect on next reboot. In the meantime do:
sudo chown root.admin /dev/net/tun
sudo chmod g+w /dev/net/tun

Now your application has the required permissions to execute privileged network operations. Now you have got to integrate the setcap invocation into the Makefile build process. Add the following line to your make-rule:

## Makefile rule
myapp:  $(APPLIBS) main.o
     $(CC) $(CFLAGS) $(LDFLAGS)  -o myapp main.o $(APPLIBS)
     sudo setcap cap_net_admin,cap_net_raw=eip /home/myuser/workspace/proj/bin/myapp

To avoid that sudo request the password, we add the following line to the very end of the file /etc/sudoers, replace myuser by the user-name of the developer.

## Add as last line of config file /etc/sudoers
myuser ALL = (ALL) NOPASSWD: /sbin/setcap, (ALL) NOPASSWD: /sbin/ifconfig

You will notice that we grant access as well to /sbin/ifconfig. This will allow our application to invoke ifconfig commands from within application to create the required network interfaces.

Finally very that the capabilities are configured for the freshly built binary. And you should see the capabilities are the one you set before.

## Execute in console:
sudo getcap myapp

Now you are done. You should be able to execute your application with normal user permissions from within Eclipse, and invoke privileged network operations.