Opened 6 years ago

Closed 6 years ago

#8452 closed enhancement (wontfix)

ooni: create virtualenv bootstrap script that allows us to create raw sockets without sudo

Reported by: isis Owned by: isis
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Keywords: ooni, SponsorH201210
Cc: hellais, ioerror, aagbsn, isis Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

aagbsn wrote a set of patches to let network tests discover if they need the ability to create raw sockets and added instructions for doing setcap on the python interpreter binary to enable a user to create raw sockets without giving sudo to ooniprobe.

however, we don't want to ask a user to do this to their system python interpreter. what we need is a virtualenv setup script which creates an entirely new copy of the python interpreter to use setcap on.

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by hellais

Resolution: wontfix
Status: newclosed

For running ooniprobe tests that require root. Such permissions will be a requirement.

comment:2 Changed 6 years ago by hellais

Keywords: SponsorH201210 added

comment:3 Changed 6 years ago by isis

Resolution: wontfix
Status: closedreopened

Wait, this is one of the things we all agreed we wanted to have in our meetings at Harvard. Remember that the user still has to have sudo privileges to setcap the interpreter binary -- so this doesn't mean that we are obtaining extra privileges that were not there before, instead it means that we are restricting what permissions the interpreter is given.

comment:4 in reply to:  3 Changed 6 years ago by hellais

Replying to isis:

Wait, this is one of the things we all agreed we wanted to have in our meetings at Harvard. Remember that the user still has to have sudo privileges to setcap the interpreter binary -- so this doesn't mean that we are obtaining extra privileges that were not there before, instead it means that we are restricting what permissions the interpreter is given.

On all of our target platforms we don't have the ability to install a special python binary (on which we can setcap). So, for example, on debian this feature will not be possible.

I would suggest we postpone this since none of the target platforms support this feature.

comment:5 Changed 6 years ago by hellais

Resolution: wontfix
Status: reopenedclosed

Since no further feedback was received on this ticket in 3 week I am closing this as wontfix.

Note: See TracTickets for help on using tickets.