Re: setting sysctl net.ipv4.ping_group_range
On Mon, Jan 02, 2023 at 10:09:44PM +0100, Marco d'Itri wrote:
> > With that in place, unprivileged users are able to excute ping for both
> > IPv4 and IPv6 targets without cap_net_raw (currently set as either a
> > file-based attribute on the ping binary or acquired via setuid). But
> > since that applies system-wide, not just to the ping binary, there may
> > be objections.
> I do not think that the submitter made clear why this would be
> preferable, so I had to research it myself. See:
>
> https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
> https://github.com/systemd/systemd/pull/13141
>
> Since this is one of the systemd sysctl defaults (of which I think that
> we should adopt more, especially the network-related ones!) I agree with
> changing this.
> I would just do it in the systemd package package to allow all packages
> to benefit from it without having to care if ping is installed.
I'm entirely happy to reassign this request to systemd and have the
setting applied more broadly. The question that arises then is what to
do about the file-level capabilities on the ping binary. Ideally we
drop them entirely (including the setuid fallback), but when?
I could leave things completely decoupled, and simply wait until systemd
makes the change and then upload iputils and assume that anybody
upgrading iputils is also upgrading systemd. That seems to be what
Fedora did, according to the fedoraproject.org wiki cited above.
Alternatives would seem to involve some level of versioned dependency,
which doesn't feel right.
noah
Reply to: