[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: make ping executable by normal users?

On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila <sanvila@unex.es> wrote:
> On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
>> On my old debian system I could ping as a normal user.  The ping
>> binary had the suid bit set.  Now I get:
>>     $ ping www.google.com
>>     ping: icmp open socket: Operation not permitted
>>     2 $
>> presumably because the bit isn't set.
>> What's the right fix?  I could setuid it but then if I understand
>> correctly it might get changed back by an upgrade.  Does it use
>> capabilites or something?
> Yes, it uses capabilities. The simple fix is to do this:
> dpkg-reconfigure iputils-ping

Well, that works, thanks.  But I really don't get the overall behavior.
It says this:

     root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
     Setcap worked! Ping(6) is not suid!

And then ping works for non-root users.

How, just by executing dpkg-reconfigure, did I tell it this is what
I wanted?  If that's the default, why wasn't it that way to begin with?

More generally, is it somehow possible to still run debian without
capabilities?  I hate them.  The simple root-or-not security model
is much simpler and doesn't promise more than it can really
deliver.  I'm sad to see capabilities now as the default.


Reply to: