More specifically, I needed a program to be able to create raw sockets without requiring full root privileges. It's possible! Using POSIX File Capabilities that relies on capabilities architecture.
First, install required packages (libcap2 and libcap2-bin on Debian). Second, your kernel must be supporting them as well as your file system (it should be the case per default). Then, you can manage capabilities with setcap and getcap (being root of course).
Usage as explained in setcap(8):
setcap capability1[,capability2][=-+][value] <filename>
Values are in the format defined by cap_from_text(3):
- an operand +, - or = (just like in chmod)
- e for effective (it has it)
- p for permitted (allowed to have or obtain)
- i for inherited (when it forks)
For instance, to be able to create raw sockets:
setcap cap_net_raw=ep <filename>
Or to be able to bind ports < 1024:
setcap cap_net_bind_service=ep <filename>
Both at the same time:
setcap cap_net_bind_service,cap_net_raw=ep <filename>
You can then view a file's capabilities with:
And remove capabilities with:
setcap -r <filename>
If you get a look at the manual capabilities(7), security is divided into several capabilities. You can now replace all setuid/setgid bits of programs with specific capabilities when possible.
We can expect this feature to be used by default in Linux distributions: Fedora applied capabilities since version 12 and archLinux is working towards it.