setting sysctl net.ipv4.ping_group_range
There are several examples of packages installing files to
/usr/lib/sysctl.d, but I haven't found any specific guidance on policies
about what's appropriate for them. Since sysctl variables change the
system behavior in a way that's not limited to the package changing the
setting, and since the package in question (iputils-ping) is Priority:
important and part of the default install, I won't want to make any
changes without consulting here first.
See bug #1008281 for context. [1]
The proposal is to install /usr/lib/sysctl.d/iputils-ping.conf with the
following content:
net.ipv4.ping_group_range="0 2147483647"
With that in place, unprivileged users are able to excute ping for both
IPv4 and IPv6 targets without cap_net_raw (currently set as either a
file-based attribute on the ping binary or acquired via setuid). But
since that applies system-wide, not just to the ping binary, there may
be objections.
After applying this change, I believe it'd be appropriate to drop ping's
setcap/setuid settings from postinst altogether, though I'd be open to
other options. [2]
noah
1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008281
2. https://salsa.debian.org/debian/iputils/-/blob/master/debian/iputils-ping.postinst
Reply to: