[Bug 1174504] AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW
https://bugzilla.suse.com/show_bug.cgi?id=1174504 https://bugzilla.suse.com/show_bug.cgi?id=1174504#c2 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to Andreas.Stieger@gmx.de from comment #0)
ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are enabled via sysctl ping_group_range (net.ipv4.ping_group_range /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well) [...] If reviewed okay, ship the sysctl preset to allow interactive users by default, and update iputils and fping to remove the capability (and others). iputils has had this support for a while, fping since 4.3.
Security wise the ICMP_PROTO sockets would be better. Currently we have: - capability to create SOCK_RAW which allows the ping/fping programs to do pretty much everything on raw socket level. With ICMP_PROTO sockets we would have: - only processes with certain group IDs are granted permission to create these sockets - only ICMP ECHO requests can be sent and nothing else I only see a problem in the group configuration in ping_group_range. Currently everybody in the system is allowed to ping. Pinging other hosts is a pretty common operation also in scripts and system daemons. So how can we sensibly select a safe and compatible range of group IDs for this? In the simplest case we'd simply allow everybody to open ICMP_PROTO sockets and would still be safer than with the current capability solution. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com