Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#63710 - [iputils] consider dropping cap_net_raw on ping

Attached to Project: Arch Linux
Opened by Ronan Pigott (Brocellous) - Tuesday, 10 September 2019, 08:15 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 06 September 2020, 15:35 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

Since systemd 243, the net.ipv4.ping_group_range sysctl is set to encompass all groups, so special permissions are no longer necessary to send icmp echo packets.

iputils currently sets cap_net_raw=ep for ping on install, but maybe with the above changes this is worth considering dropping.

note that ping can also send icmpv6 node information queries with -N, which still require cap_net_raw even with the sysctl set.

Additional info:
* package version(s)
systemd 243.0-1
iputils 20180629.f6aac8d-4
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 06 September 2020, 15:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  iputils-20200821-1
Comment by fightcookie (fightcookie) - Sunday, 03 November 2019, 09:43 GMT
@Brocellous Is there a way to keep the icmpv6 node information queries working while dropping the capability?
Otherwise this change would restrict the intended functionality of the ping command, which is hard to justify, except it is used by so little people, that they could add the capability back on their own and the security gains are big.
Comment by Christopher Cooper (cg505) - Friday, 29 May 2020, 21:31 GMT
  • Field changed: Percent Complete (100% → 0%)
This is still relevant and I believe it should still be addressed. To respond to fightcookie, I don't think there is a way for -N to work without cap_net_raw, but I think this option is extremely uncommon, and those that need it can manually add the capability or run ping as root.

Not requiring the capability allows the ping utility to work in situations where cap_net_raw has been dropped. Why this is useful in containers was discussed in this recent talk at DockerCon: https://youtu.be/4d8K1w1GLq4.

Loading...