Tuesday, January 19, 2010

POSIX File Capabilities

Sometimes you need a particular program to do a specific task that requires administrative (root) privileges. You can run your program with sudo or chown your program to root and use the setuid bit (that allows to run a program with its owner uid). However, the setuid bit has serious security issues: if you are able to change the flow of execution of the program (and if the program does not drop his root privileges once no longer necessary), you can get a root shell.

More specifically, I needed a program to be able to create raw sockets without requiring full root privileges. It's possible! Using POSIX File Capabilities that relies on capabilities architecture.

Tuesday, January 12, 2010

Enabling Wake-on-LAN

The first thing you do when you configure Wake-on-LAN is to enable it in your motherboard BIOS (on my ASRock it's "wake on PCI device -> enabled").

However, this is not enough because when you leave Linux (or Windows), your network card may not be set to wake up from LAN. Thanks to tjansson, I'm now using the following root crontab to enable Wake-on-LAN everytime Linux starts (I prefer that to an init/rc6 script).
@reboot /usr/sbin/ethtool -s eth0 wol g

I invite you to read tjansson's blog entry for more information.