[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: make ping executable by normal users?

On Tue, Jun 07, 2016 at 02:56:11PM -0800, Britton Kerin wrote:
> On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila <sanvila@unex.es> wrote:
> > On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
> >> On my old debian system I could ping as a normal user.  The ping
> >> binary had the suid bit set.  Now I get:
> >>
> >>     $ ping www.google.com
> >>     ping: icmp open socket: Operation not permitted
> >>     2 $
> >>
> >> presumably because the bit isn't set.
> >
> > Yes, it uses capabilities. The simple fix is to do this:
> >
> > dpkg-reconfigure iputils-ping
> Well, that works, thanks.  But I really don't get the overall behavior.
> It says this:
>      root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
>      Setcap worked! Ping(6) is not suid!
>      root@debian:/home/bkerin#
> And then ping works for non-root users.
> How, just by executing dpkg-reconfigure, did I tell it this is what
> I wanted?  If that's the default, why wasn't it that way to begin with?

It is supposed to work on initial installation as well -- the decision
whether to setcap or setuid is made anew whenever iputils-ping is
configured.  Did you do something out of ordinary, like tarring and
restoring or otherwise moving your system around?  If so, that's
unfortunately an expected thing -- if not, it'd be nice to know what
else could have failed.

> More generally, is it somehow possible to still run debian without
> capabilities?  I hate them.

Yes, apt-get purge libcap2-bin.

This won't undo existing capabilities in the filesystem, you can search for
them with getcap -r, then dpkg --reconfigure them to use setuid instead.

> The simple root-or-not security model is much simpler and doesn't promise
> more than it can really deliver.

Giving only limited capabilities greatly reduces possible attacks.  If
someone manages to subvert ping, in the setuid model he gains full root.  In
the capability model, all he gets is cap_net_raw.  The damage from being
able to create raw sockets is rather limited.  Another such capability is
for example cap_net_bind_service which lets your http/whatever server to
listen on port 80 without being root.  And so on...

On the other hand, setcap does have its downsides, like surprising some
sysadmins or tools.

> I'm sad to see capabilities now as the default.

I'd say the upside outweights the downsides.  But, you do get to choose.

An imaginary friend squared is a real enemy.

Reply to: