Additional capabilities required

Specify additional capabilities in main.cpp (error message and comment), and in man page.
raboof · Jul 9, 2022 · a9258d1 · a9258d1
1 parent 90fb48d
commit a9258d1
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/doc/nethogs.8 b/doc/nethogs.8
@@ -108,13 +108,18 @@ needs the
 .I cap_net_admin
 and
 .I cap_net_raw
-capabilities. These can be set on the executable by using the
+capabilities. Additionally, to display process names,
+.I cap_dac_read_search
+and
+.I cap_sys_ptrace
+capabilities are required.
+These can be set on the executable by using the
 .BR setcap (8)
 command, as follows:
 .PP
 .in +4n
 .EX
-sudo setcap "cap_net_admin,cap_net_raw+pe" /usr/local/sbin/nethogs
+sudo setcap "cap_net_admin,cap_net_raw,cap_dac_read_search,cap_sys_ptrace+pe" /usr/local/sbin/nethogs
 .EE
 .in
 .SH "Notes"

diff --git a/src/main.cpp b/src/main.cpp
@@ -215,15 +215,12 @@ int main(int argc, char **argv) {
     forceExit(false, "No devices to monitor. Use '-a' to allow monitoring "
                      "loopback interfaces or devices that are not up/running");
 
-  if ((!tracemode) && (!DEBUG)) {
-    init_ui();
-  }
-
 #ifndef __linux__
   if (geteuid() != 0)
     forceExit(false, "You need to be root to run NetHogs!");
 #endif
-  // on Linux, we can run as non-root given the cap_net_admin and cap_net_raw capabilities
+  // on Linux, we can run as non-root given the cap_net_admin, cap_net_raw,
+  // cap_dac_read_search and cap_sys_ptrace capabilities
 
   // use the Self-Pipe trick to interrupt the select() in the main loop
   self_pipe = create_self_pipe();
@@ -291,7 +288,8 @@ int main(int argc, char **argv) {
   if (nb_devices == nb_failed_devices) {
     if (geteuid() != 0)
       fprintf(stderr, "To run nethogs without being root, you need to enable "
-                      "capabilities on the program (cap_net_admin, cap_new_raw). "
+                      "capabilities on the program (cap_net_admin, cap_net_raw, "
+                      "cap_dac_read_search, cap_sys_ptrace). "
                       "See the documentation for details.\n");
     forceExit(false, "Error opening pcap handlers for all devices.\n");
   }
@@ -300,6 +298,10 @@ int main(int argc, char **argv) {
 
   struct dpargs *userdata = (dpargs *)malloc(sizeof(struct dpargs));
 
+  if ((!tracemode) && (!DEBUG)) {
+    init_ui();
+  }
+
   // Main loop:
   int refresh_count = 0;
   while (1) {