Today I discovered the linux set cap functionality which I should have learned about a long time ago. It is a way of setting extended attributes in ext3 and ext4 file systems, allowing a file to have additional privileges without having to give away the farm with something like setuid. Much like using the sudoers file to give specific users root access to specific executables, setcap can be used to give a network utility the ability to use RAW_SOCKETS without also requiring root privileges. System administrators should still be careful setting these flags – there are reasons that RAW_SOCKET are usually reserved for root. However, when you need to run a network utility via Nagios (for example) and don’t want tosetuid root and don’t want to run Nagios as root, setcap is your friend.

For example:

setcap cap_net_raw=ep /usr/sbin/hping3

setcap privileges can be removed with the -r flag.