[Buildroot] [PATCH] iputils: fix ping and traceroute6 executable permissions

Baruch Siach baruch at tkos.co.il
Sun Jan 14 05:50:46 UTC 2018


Hi Yann,

On Sat, Jan 13, 2018 at 11:37:09PM +0100, Yann E. MORIN wrote:
> Matt, Einar, All,
> 
> On 2018-01-13 15:54 -0600, Matthew Weber spake thusly:
> > On Sat, Jan 13, 2018 at 2:19 PM,  <tolvupostur at gmail.com> wrote:
> > > From: Einar Jon Gunnarsson <tolvupostur at gmail.com>
> > > The iputils executables are installed without the setuid bit set,
> > > which prevents some programs from working.
> > >
> > 
> > Does your use case involve a system with non-root users?
> > 
> > Could you describe what you mean by "some programs"?
> > 
> > The landscape of how ping gets elevated privileges for raw socket
> > access has a number of options (setuid / cap_net_raw capability / new
> > socket type).   The backwards compatible fix would be to use setuid
> > but from a security hardening aspect, I wish we could set capabilities
> > for this instead.  The issue I see is the filesystem type dependency
> > so we can pre-set the capabilities in xattribs.   I'll have to ask
> > around if setuid vs capabilities has come up before but as most
> > buildroot systems run as root, I'm guessing it hasn't been a hot
> > topic.
> > 
> > Some backstory on Ubuntu's situation, I believe as of 16.04 they still
> > did setuid but have selectively transitioned to not.
> > https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/534341
> 
> Still the case in 17.10, and if I remove the setuid bit, it fails:
> 
>     $ ping some-host
>     ping: socket: Operation not permitted

The Debian iputils changelog[1] reads:

iputils (3:20121221-6) UNRELEASED; urgency=medium

  * Remove setuid bits on binaries if setcap succeeds during 
    reconfigure. (Closes: 778500)

setuid seems not to be set on my Debian testing machine:

$ ls -l /bin/ping
-rwxr-xr-x 1 root root 61240 Nov 10  2016 /bin/ping

The Ubuntu changelog[2] says this:

iputils (3:20150815-2ubuntu1) yakkety; urgency=low

  * Merge from Debian unstable (LP: #1592425).  Remaining changes:
    - Support cross-building
    - Mark ping and ping6 setuid again as there's currently no good ways
      to have capabilities be kept in all our images.

[1] https://tracker.debian.org/media/packages/i/iputils/changelog-3%3A20161105-1

[2] https://launchpad.net/ubuntu/+source/iputils/+changelog

> > > +define IPUTILS_PERMISSIONS
> > > +       /bin/ping        f 4755 0 0 - - - - -
> > > +       /bin/traceroute6 f 4755 0 0 - - - - -
> > > +endef
> > 
> > The package installs other binaries when IPUTILS_INSTALL_TARGET_CMDS
> > executes, did you confirm that none of the others also require it?

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -



More information about the buildroot mailing list