Re: setting sysctl net.ipv4.ping_group_range
On 2023-01-02 at 13:55 -0800, Noah Meyerhans wrote:
> I'm entirely happy to reassign this request to systemd and have the
> setting applied more broadly. The question that arises then is what
> to
> do about the file-level capabilities on the ping binary. Ideally we
> drop them entirely (including the setuid fallback), but when?
>
> I could leave things completely decoupled, and simply wait until
> systemd
> makes the change and then upload iputils and assume that anybody
> upgrading iputils is also upgrading systemd. That seems to be what
> Fedora did, according to the fedoraproject.org wiki cited above.
> Alternatives would seem to involve some level of versioned
> dependency,
> which doesn't feel right.
>
> noah
Currently iputils-ping's postinst does (at configure):
> if command -v setcap > /dev/null; then
> if setcap cap_net_raw+ep /bin/ping; then
> chmod u-s /bin/ping
> else
> echo "Setcap failed on /bin/ping, falling back to setuid" >&2
> chmod u+s /bin/ping
> fi
> else
> echo "Setcap is not installed, falling back to setuid" >&2
> chmod u+s /bin/ping
> fi
I would change that to:
if sysctl -n net.ipv4.ping_group_range | grep -q -v '^1 0$'; then # N.B. this is a tab
# No need for elevated rights for ping when ping_group_range feature is in use
setcap '' /bin/ping 2> /dev/null || true
chmod u-s /bin/ping
elif command -v setcap > /dev/null; then
# If we have setcap is installed, try setting cap_net_raw+ep,
# which allows us to install our binaries without the setuid
# bit.
if setcap cap_net_raw+ep /bin/ping; then
chmod u-s /bin/ping
else
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
chmod u+s /bin/ping
fi
else
echo "No ping_group_range and setcap is not installed, falling back to setuid" >&2
chmod u+s /bin/ping
fi
if ping_group_range is set ("1<tab>0" is the value when disabled, so
anything else means that the feature is configured for some groups),
then it disables capabilities and setuid.
Else it goes the existing route.
It is checking it *in the running kernel*, so if both iputils-ping and
procps (or whatever package is dropping the sysctl) are upgraded at the
same time, it would not detect until the *next* iputils upgrade after the
system is upgraded.
One might additionally check if there is a sysctl file there to enable the feature
(the problem would still bepresent if it is upgraded at the same time with
iputils-ping being upgraded *before* procps), but I think it's undesirable to leave
a non-working program after the update (for some reason, procps postinst doesn't seem
to automatically apply the newly dropped settings).
This code would also do the right thing™ if the existing kernel lacked support for the
feature, although this seems moot, as it has been there for more than a decade [1]. It
might happen on kFreeBSD, if it's a non-standard kernel where such feature was kept out
(which doesn't make much sense), or procps is not installed (despite being an 'important'
package).
Regards
1- https://lwn.net/Articles/422330/
Reply to: