[Chilli] Chilli 1.2.8 stable, use of CAP_NET_ADMIN and some other things...

Francesco Colista francesco.colista at gmail.com
Tue Dec 6 18:43:32 UTC 2011 

Hi all.
I'm just continue about hte coredump saga since 1.2.7, and as david 
mention the new version should fix.

I'm using a 3.0.10 grsec kernel with patch for SSP on uclibc, the 
distro is alpine linux (www.alpinelinux.org).
Those are the flag i used in order to compile 1.2.8 version (stable) 
that is running atm.

         ./configure --prefix=/usr \
                 --sysconfdir=/etc \
                 --mandir=/usr/share/man \
                 --infodir=/usr/share/info \
                 --localstatedir=/var/run/chilli \
                 --libdir=/usr/lib \
                 --sysconfdir=/etc \
                 --with-openssl \
                 --with-poll \
                 --with-pcap \
                 --enable-binstatusfile \
                 --enable-statusfile \
                 --enable-chillixml \
                 --enable-ipwhitelist \
                 --enable-redirinject \
                 --enable-redirdnsreq \
                 --enable-debug \
                 --enable-debug2 \
                 --enable-sessgarden \
                 --enable-shared \
                 --enable-chilliredir \
                 --enable-chilliscript \
                 --enable-layer3 \
                 --enable-dhcpopt \
                 --enable-largelimits


I need a clarification about this errors:

"use of CAP_NET_ADMIN in chroot denied for 
/usr/sbin/chilli[chilli:1982] uid/euid:0/0 gid/egid:0/0, parent 
/usr/sb0" <--- logs are plenty of this alert.
"coova-chilli[1947]: net.c: 114: 13 (Permission denied) 
ioctl(SIOCSIFFLAGS) failed" <--- also i've a lot of this entry.

Now, i notice that the ioctl error is because coova-chilli is running 
as root, and would be better use a non-privileged user.
i create chilli user and group, gives the apporpriate permission on the 
directory of pidfile ( /var/run/chilli).
When the daemon starts, i obtaion a permission denied when chilli 
modify routing table. What can i do ? Chilli is setuid.
I read about chilli-script, but never used it. Someone can points me to 
the right direction?


About the first error, i tryied to setcap cap_net_admin+ep 
/usr/sbin/chilli without result. This is what is returned:

Failed to set capabilities on file `/usr/sbin/chilli' (Operation not 
supported)

Last point: would be very helpful having on the wiki a better 
documentation about how this flags works and how use it :)


-- 
:: Francesco ::
Blog: http://fc1979.blogspot.com
Jabber: francesco at jabber.org
E-Mail: francesco at bsod.eu
GnuPG: FE9DDD5F

More information about the Chilli mailing list