FS#63710 - [iputils] consider dropping cap_net_raw on ping
Attached to Project:
Arch Linux
Opened by Ronan Pigott (Brocellous) - Tuesday, 10 September 2019, 08:15 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 06 September 2020, 15:35 GMT
Opened by Ronan Pigott (Brocellous) - Tuesday, 10 September 2019, 08:15 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 06 September 2020, 15:35 GMT
|
Details
Description:
Since systemd 243, the net.ipv4.ping_group_range sysctl is set to encompass all groups, so special permissions are no longer necessary to send icmp echo packets. iputils currently sets cap_net_raw=ep for ping on install, but maybe with the above changes this is worth considering dropping. note that ping can also send icmpv6 node information queries with -N, which still require cap_net_raw even with the sysctl set. Additional info: * package version(s) systemd 243.0-1 iputils 20180629.f6aac8d-4 |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Sunday, 06 September 2020, 15:35 GMT
Reason for closing: Fixed
Additional comments about closing: iputils-20200821-1
Sunday, 06 September 2020, 15:35 GMT
Reason for closing: Fixed
Additional comments about closing: iputils-20200821-1
Otherwise this change would restrict the intended functionality of the ping command, which is hard to justify, except it is used by so little people, that they could add the capability back on their own and the security gains are big.
Not requiring the capability allows the ping utility to work in situations where cap_net_raw has been dropped. Why this is useful in containers was discussed in this recent talk at DockerCon: https://youtu.be/4d8K1w1GLq4.