Matthias Gerstner changed bug 1174504
What Removed Added
CC   matthias.gerstner@suse.com

Comment # 2 on bug 1174504 from 
(In reply to Andreas.Stieger@gmx.de from comment #0)
> ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor
> of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are
> enabled via sysctl ping_group_range (net.ipv4.ping_group_range
> /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well)
[...]
> If reviewed okay, ship the sysctl preset to allow interactive users by
> default, and update iputils and fping to remove the capability (and others).
> iputils has had this support for a while, fping since 4.3.

Security wise the ICMP_PROTO sockets would be better. Currently we have:

- capability to create SOCK_RAW which allows the ping/fping programs to do
  pretty much everything on raw socket level.

With ICMP_PROTO sockets we would have:

- only processes with certain group IDs are granted permission to create these
  sockets
- only ICMP ECHO requests can be sent and nothing else

I only see a problem in the group configuration in ping_group_range. Currently
everybody in the system is allowed to ping. Pinging other hosts is a pretty
common operation also in scripts and system daemons. So how can we sensibly
select a safe and compatible range of group IDs for this?

In the simplest case we'd simply allow everybody to open ICMP_PROTO sockets
and would still be safer than with the current capability solution.

You are receiving this mail because: