http://bugzilla.opensuse.org/show_bug.cgi?id=1174504 Bug ID: 1174504 Summary: AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are enabled via sysctl ping_group_range (net.ipv4.ping_group_range /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well) and are supported since 3.0 and 3.11 for IPv6. https://github.com/torvalds/linux/commit/c319b4d76b9e583a5d88d6bf190e079c4e4... This would remove the need for RAW socket access while allowing users to do the same thing they can do now. iputils: /usr/bin/ping = cap_net_raw+p /usr/bin/ping6 -> /usr/bin/ping https://github.com/openSUSE/permissions/blob/master/profiles/permissions.sec... fping: /usr/sbin/fping = cap_net_raw+ep https://github.com/openSUSE/permissions/blob/master/profiles/permissions.sec... Last touched via bug 1047921 AUDIT-0: fping: possibly allow users to run non-disruptive options User-mode traceroute -I would start working. If reviewed okay, ship the sysctl preset to allow interactive users by default, and update iputils and fping to remove the capability (and others). iputils has had this support for a while, fping since 4.3. -- You are receiving this mail because: You are on the CC list for the bug.