-
-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for --unprivileged
mode (MacOS only)
#101
Comments
For IPv4/UDP we use raw socket so we may set the There is no We may, therefore, need to support both raw and non-raw IPv4/UDP modes, the former being more powerful (supports Dublin strategy) and requiring elevated privileges and the latter being less powerful but not requiring elevated privileges. |
For IPv4/ICMP the issue is that the platform byte order probing ( Edit: resolved in #721 |
One further issue to resolve is that the let icmp_send_socket = make_icmp_send_socket(config.source_addr)?;
let udp_send_socket = make_udp_send_socket(config.source_addr)?;
let recv_socket = make_recv_socket(config.source_addr)?; This limits us to requiring either both or neither to require elevated privileges. The solution to this problem is to only create the UDP send socket if running in UDP protocol mode, and only create the ICMP send socket in ICMP protocol mode. Note that the ICMP recv socket is needed and used by both. Edit: resolved in #647 |
We also need a way to be able to know, at startup, if the user is going to need to run with elevated privileges, such that we can error with a sensible message (currently handled in If we implement fallback logic (try ping socket first, fallback to raw) then we have to move the error handling to later in the process and account for the fact it will occur on a separate thread. This issue becomes simpler to solve if we force the user to be explicit are raw vs non-raw for both UDP and ICMP protocols. |
Running without requiring privileges could require the |
This looks interesting. It would be nice to not need the flag, but if it makes the code materially more complicated without it. I think that's fine to require it. |
Three reason why we want the user to be explicit about this:
|
First, of all thanks for your software, been using it as replacment of mtr for a while with great, clear results. about 1. That sounds like the kernel is missing an option to do this safely without the need of a privileged socket.. maybe talk to maintainers about it ? At least on linux the highly desirable behaviour is to run without privileges always whenever possible. (according to the kernel changelog it is even possible to do so with plain sockets in some cases https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=45af29ca761c275e350cca659856bc56f1035ef9) |
@crrodriguez if @fujiapple852 is amenable to talking to the maintainers, is that something you would have to contacts to do? Which ever option we finally go with, we should include in the error message for missing privileges that there is an unprivileged option available. |
Thanks @crrodriguez, I'm glad you are finding it useful.
It's a nice idea. To avoid the need to use a raw socket here we would need a way (i.e. a
The trouble is we don't know if the platform supports (or is configured to support) raw sockets until we try and open the socket. The current logic (0.8.0) used by Trippy is:
Note that the first check is redundant and exists only to allow a clear error message that links to https://github.com/fujiapple852/trippy#privileges vs showing some obscure socket open error. The logic I am proposing (and have implemented in #638) is:
The alternative proposed logic that I was considering would be (ignoring Paris and Dublin edge cases):
Whilst quite awkward to implement in Trippy today I think it would be possible. I not a fan of this approach however, there is a little bit to much "magic" here (try A, if it fails try B) and I feel it could lead to a confusing user experience. There is also the question of the unsupported Paris and Dublin UDP cases, which would have to be factored into the above logic somehow.
This is the approach I have taken in the WIP implementation, where the unsupported cases are detected during parameter validation and we fail:
The tui header also extends the protocol information to include the privilege level: Note that the current implementation does not preclude making it smarter in the future. Internally Trippy now has a PrivilegeMode: /// The privilege mode.
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum PrivilegeMode {
/// Privileged mode.
Privileged,
/// Unprivileged mode.
Unprivileged,
} This is defaulted to This setup would allow for adding additional We may even chose to change the default If you were willing it would be great if you could take WIP code (#638) for a spin and see how it feels in practise (note: doesn't support IPv6 yet and hasn't been tested on all platforms, but should be mostly functional). Update: does not work at all on Linux yet. |
To my surprise, Linux does not allow setting Instead we must jump through some hoops to send |
Below is an overview of support for unprivileged icmp across platforms. As a quick explanation of the columns:
Therefore, at best, we can only support MacOS and Linux. However to support unprivileged icmp in Linux would require platform specific code which extends beyond the current socket abstraction layer and would require a signifiant refactor to support cleanly. It is worth noting that Linux, unlike MacOS, is the only platform which support the Therefore, for the initial implementation, this feature will be MacOS only. |
IPPROTO_ICMP
(aka ping
sockets)--unprivileged
mode (MacOS only)
Created #741 follow up task to add support for Linux. |
I think that makes sense and I'm personally not sure it's worth doing it for linux at all. I don't know how other people feel but I personally feel that just granting the raw sockets permission only made me comfortable using trippy. I don't know how much value add there is for not requiring it at all for linux. IMO where it would matter the most is on Windows where you only have full admin or not and it doesn't work there anyway. So my personal opinion is that it's not worth the work to do it for linux. |
[0.9.0] - 2023-11-30 Added - Added support for tracing flows ([#776](fujiapple852/trippy#776)) - Added support for `icmp` extensions ([#33](fujiapple852/trippy#33)) - Added support for `MPLS` label stack class `icmp` extension objects ([#753](fujiapple852/trippy#753)) - Added support for [paris] (https://github.com/libparistraceroute/libparistraceroute) ECMP routing for `IPv6/udp` ([#749](fujiapple852/trippy#749)) - Added `--unprivileged` (`-u`) flag to allow tracing without elevated privileges (macOS only) ([#101](fujiapple852/trippy#101)) - Added `--tui-privacy-max-ttl` flag to hide host and IP details for low ttl hops ([#766](fujiapple852/trippy#766)) - Added `toggle-privacy` (default: `p`) key binding to show or hide private hops ([#823](fujiapple852/trippy#823)) - Added `toggle-flows` (default: `f`) key binding to show or hide tracing flows ([#777](fujiapple852/trippy#777)) - Added `--dns-resolve-all` (`-y`) flag to allow tracing to all IPs resolved from DNS lookup entry ([#743](fujiapple852/trippy#743)) - Added `dot` report mode (`-m dot`) to output hop graph in Graphviz `DOT` format ([#582](fujiapple852/trippy#582)) - Added `flows` report mode (`-m flows`) to output a list of all unique tracing flows ([#770](fujiapple852/trippy#770)) - Added `--icmp-extensions` (`-e`) flag for parsing `IPv4`/`IPv6` `icmp` extensions ([#751](fujiapple852/trippy#751)) - Added `--tui-icmp-extension-mode` flag to control how `icmp` extensions are rendered ([#752](fujiapple852/trippy#752)) - Added `--print-config-template` flag to output a template config file ([#792](fujiapple852/trippy#792)) - Added `--icmp` flag as a shortcut for `--protocol icmp` ([#649](fujiapple852/trippy#649)) - Added `toggle-help-alt` (default: `?`) key binding to show or hide help ([#694](fujiapple852/trippy#694)) - Added panic handing to Tui ([#784](fujiapple852/trippy#784)) - Added official Windows `scoop` package ([#462](fujiapple852/trippy#462)) - Added official Windows `winget` package ([#460](fujiapple852/trippy#460)) - Release `musl` Debian `deb` binary asset ([#568](fujiapple852/trippy#568)) - Release `armv7` Linux binary assets ([#712](fujiapple852/trippy#712)) - Release `aarch64-apple-darwin` (aka macOS Apple Silicon) binary assets ([#801](fujiapple852/trippy#801)) - Added additional Rust Tier 1 and Tier 2 binary assets ([#811](fujiapple852/trippy#811)) Changed - [BREAKING CHANGE] `icmp` extension object data added to `json` and `stream` reports ([#806](fujiapple852/trippy#806)) - [BREAKING CHANGE] IPs field added to `csv` and all tabular reports ([#597](fujiapple852/trippy#597)) - [BREAKING CHANGE] Command line flags `--dns-lookup-as-info` and `--tui-preserve-screen` no longer require a boolean argument ([#708](fujiapple852/trippy#708)) - [BREAKING CHANGE] Default key binding for `ToggleFreeze` changed from `f` to `ctrl+f` ([#785](fujiapple852/trippy#785)) - Always render AS lines in hop details mode ([#825](fujiapple852/trippy#825)) - Expose DNS resolver module as part of `trippy` library ([#754](fujiapple852/trippy#754)) - Replaced unmaintained `tui-rs` crate with `ratatui` crate ([#569](fujiapple852/trippy#569)) Fixed - Reverse DNS lookup not working in reports ([#509](fujiapple852/trippy#509)) - Crash on NetBSD during window resizing ([#276](fujiapple852/trippy#276)) - Protocol mismatch causes tracer panic ([#745](fujiapple852/trippy#745)) - Incorrect row height in Tui hop detail navigation view for hops with no responses ([#765](fujiapple852/trippy#765)) - Unnecessary socket creation in certain tracing modes ([#647](fujiapple852/trippy#647)) - Incorrect byte order in `IPv4` packet length calculation ([#686](fujiapple852/trippy#686))
See for background.
The full set of ICMP sockets to support:
The text was updated successfully, but these errors were encountered: