Stop requiring CAP_NET_ADMIN

Since the following commit in the Linux kernel tree

  0fdc100bdc4b ethtool: allow non-netadmin to query settings

it is no longer necessary to have the CAP_NET_ADMIN capability to query
a device speed using ioctl(..., SIOCETHTOOL) in conjonction with the
ETHTOOL_GSET ethtool command.

The mentioned commit landed first in the 2.6.37 version of the Kernel.
This version is no longer maintained nowdays.

Since it is not necessary anymore, it is strongly prefered from a
security standpoint to drop the CAP_NET_ADMIN capability from the
binary.

Signed-off-by: Olivier Gayot <olivier.gayot@sigexec.com>

diff --git a/Makefile b/Makefile
index 5ec587172475fc03fbc40e74558086722167753d..c5427b9995b473780afc5ed077c095efdfa8d515 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -116,8 +116,6 @@ install:
        install -m 755 -d $(DESTDIR)$(SYSCONFDIR)
        install -m 755 -d $(DESTDIR)$(MANPREFIX)/share/man/man1
        install -m 755 i3status $(DESTDIR)$(PREFIX)/bin/i3status
-       # Allow network configuration for getting the link speed
-       (which setcap && setcap cap_net_admin=ep $(DESTDIR)$(PREFIX)/bin/i3status) || true
        install -m 644 i3status.conf $(DESTDIR)$(SYSCONFDIR)/i3status.conf
        install -m 644 man/i3status.1 $(DESTDIR)$(MANPREFIX)/share/man/man1
 

diff --git a/README.md b/README.md
index 75704ea0d84a41b5403a5e4bde97532170836334..084f373a8cff150eab4924cf93080f08a8b40175 100644 (file)
--- a/README.md
+++ b/README.md
@@ -16,13 +16,12 @@ i3status has the following dependencies:
   * libyajl-dev
   * libasound2-dev
   * libnl-genl-3-dev
-  * libcap2-bin (for getting network status without root permissions)
   * asciidoc (only for the documentation)
   * libpulse-dev (for getting the current volume using PulseAudio)
 
 On debian-based systems, the following line will install all requirements:
 ```bash
-apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libcap2-bin libpulse-dev libnl-genl-3-dev
+apt-get install libconfuse-dev libyajl-dev libasound2-dev libiw-dev asciidoc libpulse-dev libnl-genl-3-dev
 ```
 
 ## Upstream

diff --git a/i3status.conf b/i3status.conf
index 07ffb7454fdb895bfeb137d4a310d0c2cdc76ff4..6ac43cbb231252bfa43d1c07e70c34d574a27b23 100644 (file)
--- a/i3status.conf
+++ b/i3status.conf
@@ -26,7 +26,6 @@ wireless _first_ {
 }
 
 ethernet _first_ {
-        # if you use %speed, i3status requires root privileges
         format_up = "E: %ip (%speed)"
         format_down = "E: down"
 }

diff --git a/man/i3status.man b/man/i3status.man
index 31f25adfcd7c9003fb15d7151da52010c9648094..fecd0791ea95ed97ff8ef953a59a684dce7ba314 100644 (file)
--- a/man/i3status.man
+++ b/man/i3status.man
@@ -66,7 +66,6 @@ wireless wlan0 {
 }
 
 ethernet eth0 {
-        # if you use %speed, i3status requires the cap_net_admin capability
         format_up = "E: %ip (%speed)"
         format_down = "E: down"
 }
@@ -315,8 +314,7 @@ network interface found on the system (excluding devices starting with "lo").
 
 Gets the IP address and (if possible) the link speed of the given ethernet
 interface. If no IPv4 address is available and an IPv6 address is, it will be
-displayed. Getting the link speed requires the cap_net_admin capability.
-Set it using +setcap cap_net_admin=ep $(which i3status)+.
+displayed.
 
 The special interface name `_first_` will be replaced by the first non-wireless
 network interface found on the system (excluding devices starting with "lo").

diff --git a/src/print_eth_info.c b/src/print_eth_info.c
index b30d2b0166a0b1fd577c047eb4bf8a01f3bc4cbb..996ce3b6606eea86e6d89de5a6fd005182ae32b3 100644 (file)
--- a/src/print_eth_info.c
+++ b/src/print_eth_info.c
@@ -33,7 +33,6 @@
 
 static int print_eth_speed(char *outwalk, const char *interface) {
 #if defined(LINUX)
-    /* This code path requires root privileges */
     int ethspeed = 0;
     struct ifreq ifr;
     struct ethtool_cmd ecmd;