[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setting sysctl net.ipv4.ping_group_range



On Jan 02, Noah Meyerhans <noahm@debian.org> wrote:

> With that in place, unprivileged users are able to excute ping for both
> IPv4 and IPv6 targets without cap_net_raw (currently set as either a
> file-based attribute on the ping binary or acquired via setuid).  But
> since that applies system-wide, not just to the ping binary, there may
> be objections.
I do not think that the submitter made clear why this would be 
preferable, so I had to research it myself. See:

https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
https://github.com/systemd/systemd/pull/13141

Since this is one of the systemd sysctl defaults (of which I think that 
we should adopt more, especially the network-related ones!) I agree with 
changing this.
I would just do it in the systemd package package to allow all packages 
to benefit from it without having to care if ping is installed.

-- 
ciao,
Marco

Attachment: signature.asc
Description: PGP signature


Reply to: