X-Git-Url: https://git.octo.it/?a=blobdiff_plain;f=README;h=95ae19b39dc61f71e56a3949370dd46872203334;hb=6c682f99f7b995e1c155ab2627687cece54dbfbc;hp=474a8dd3eb3322548373ed61ace690801cc3baf4;hpb=cbfa921fb30702b98ba0353f551c9340d0928655;p=liboping.git

diff --git a/README b/README
index 474a8dd..95ae19b 100644
--- a/README
+++ b/README
@@ -35,6 +35,49 @@ Perl bindings
   â--without-perl-bindingsâ.
 
 
+Permissions
+âââââââââââââ
+
+  On UNIX, special permissions are required to open raw sockets (raw(7)). If
+  you compile and install the âopingâ and ânopingâ binaries as normal user
+  (which is strongly suggested), you won't be able to use the binaries as a
+  normal user, because you won't have the permission to open raw sockets.
+
+  The âinstallâ target will automatically try fix this, if it is run with UID~0
+  (as user root).  When on Linux, the capabilities described below will be
+  added. On other UNIXes the traditional Set-UID method (also described below)
+  is used instead. The build system will not abort if this fails, because there
+  are file systems which do not support either method. Also, the Debian
+  packaging system and possibly other scenarios only act as if they were
+  running as root.
+
+  Linux
+  âââââ
+  On Linux, the preferred method is to assign the required âcapabilityâ to the
+  binaries. This will allow the binary to open raw sockets, but doesn't give
+  any other permissions such as reading other users' files or shutting down the
+  system. The downside is that this mechanism is comparatively new: Assigning
+  capabilities to files is available since Linux 2.6.24.
+
+  To set the required capabilities, run (as user root):
+
+    # setcap cap_net_raw=ep /opt/oping/bin/oping
+    # setcap cap_net_raw=ep /opt/oping/bin/noping
+
+  Other UNIX
+  ââââââââââ
+  Capabilities are a nice but Linux-specific solution. To make âopingâ and
+  ânopingâ available to unprivileged users on other UNIX systems, use the
+  traditional set-UID root solution. If your system supports âsaved set-UIDsâ
+  (basically all systems do), the applications will drop the privileges during
+  initialization and only regain them when actually opening the socket(s).
+
+  To set the set-UID bit, run (as user root):
+
+    # chown root: /opt/oping/bin/{,n}oping
+    # chmod u+s   /opt/oping/bin/{,n}oping
+
+
 Licensing terms
 âââââââââââââââ
 
@@ -50,5 +93,5 @@ Licensing terms
 Author
 ââââââ
 
-  Florian octo Forster <octo at verplant.org>
+  Florian âoctoâ Forster <ff at octo.it>
 
