Re: Is it possible to chroot jail NetworkManager?

[Dan Williams <dcbw redhat com>]

On Sat, 2006-08-26 at 21:28 +0000, Hubert Havel wrote:
> Hi Dan,
> 
> How does NM talk to the internet browser? Does it use a socket? If NM uses a 
> socket to
> communicate with the browser, then I can "mount /socket_dir   
> /choot/socket_dir -o bind"
> The browser inside the chroot jail will be able to talk to the NM, while NM 
> is running under
> root outside the jail. What do you think? Is this possible.

NM doesn't necessarily talk to the browser at all; user applications
connect to the message bus daemon, and NetworkManager provides a service
residing on the message bus.  On Linux the communication happens over
unix domain sockets.

dan


> Thanks for your help. Hubert.
> 
> >From: Dan Williams <dcbw redhat com>
> >To: Hubert Havel <browncoffee100 hotmail com>
> >CC: networkmanager-list gnome org
> >Subject: Re: Is it possible to chroot jail NetworkManager?
> >Date: Wed, 23 Aug 2006 16:50:54 -0400
> >
> >On Wed, 2006-08-23 at 19:43 +0000, Hubert Havel wrote:
> > > Hello NetworkManger Users:
> > >
> > >     I am able to get Opera to run in a chroot jail, but unfortunately, I 
> >was
> > > unable to get
> > > a jailed WiFI internet program to connect the jailed Opera to the WiFi
> > > internet card. I tried jailing NetworkManager, but I noticed that
> > > NetworkManager can only be executed by
> > > root. It is unsafe to execute any program inside jail with root.
> >
> >Unfortunately, you pretty much _need_ root to do much with wireless.
> >For example, you can't perform wireless scans unless you're root (or
> >possibly have CAP_NET_ADMIN, not sure).  You also can't manipulate the
> >routing tables or set IP addresses if you're not root (or don't have
> >CAP_NET_ADMIN).
> >
> >Furthermore, you'd need root for wpa_supplicant since it does a ton of
> >wireless work.  And NM needs to be able to access D-Bus too, and the
> >system bus socket would likely be outside the chroot too.
> >
> > >     Is there a way to jail NetworkManager securely - preferably, execute
> > > NetworkManager
> > > inside jail without root. Perhaps, there is a way, like Apache, after
> > > initialization, it drops
> > > the root process?
> >
> >Why do you want to do this?
> >
> >Dan
> >
> > >    You help is greatly appreciated. I have been stucked on this for 
> >about 2
> > > weeks.
> > >
> > > Hubert.
> > >
> > > _________________________________________________________________
> > > Search from any web page with powerful protection. Get the FREE Windows 
> >Live
> > > Toolbar Today!   http://get.live.com/toolbar/overview
> > >
> > > _______________________________________________
> > > NetworkManager-list mailing list
> > > NetworkManager-list gnome org
> > > http://mail.gnome.org/mailman/listinfo/networkmanager-list
> >
> 
> _________________________________________________________________
> Check the weather nationwide with MSN Search: Try it now!  
> http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG
>