[Bug 1174504] New: AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504 Bug ID: 1174504 Summary: AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are enabled via sysctl ping_group_range (net.ipv4.ping_group_range /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well) and are supported since 3.0 and 3.11 for IPv6. https://github.com/torvalds/linux/commit/c319b4d76b9e583a5d88d6bf190e079c4e4... This would remove the need for RAW socket access while allowing users to do the same thing they can do now. iputils: /usr/bin/ping = cap_net_raw+p /usr/bin/ping6 -> /usr/bin/ping https://github.com/openSUSE/permissions/blob/master/profiles/permissions.sec... fping: /usr/sbin/fping = cap_net_raw+ep https://github.com/openSUSE/permissions/blob/master/profiles/permissions.sec... Last touched via bug 1047921 AUDIT-0: fping: possibly allow users to run non-disruptive options User-mode traceroute -I would start working. If reviewed okay, ship the sysctl preset to allow interactive users by default, and update iputils and fping to remove the capability (and others). iputils has had this support for a while, fping since 4.3. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c7
André Werlang
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Hans-Peter Jansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c8
--- Comment #8 from Hans-Peter Jansen
Seems the change is incorrect (wrong quoting)?
It appears, you're right, without quotes, it behaves fine: $ sysctl -p /usr/lib/sysctl.d/50-default.conf net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 2 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 net.ipv6.conf.default.use_tempaddr = 1 net.ipv4.ping_group_range = 0 2147483647 fs.inotify.max_user_watches = 65536 kernel.sysrq = 184 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 kernel.kptr_restrict = 1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Frances Scott
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Frank Krüger
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c10
Gene Snider
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c11
--- Comment #11 from Hans-Peter Jansen
I made the change to /usr/lib/sysctl.d/50-default.conf, and most of the errors stopped. However, I still get these two lines:
Sep 16 16:13:04 Mobile-PC systemd[1]: Failed to start Apply Kernel Variables. Sep 16 16:13:04 Mobile-PC systemd-sysctl[222]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument
Is there another file that contains that improperly formatted line?
Run mkinitrd -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Wolfgang Bauer
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c12
--- Comment #12 from Gene Snider
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504#c22
--- Comment #22 from OBSbugzilla Bot
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Frances Scott
http://bugzilla.opensuse.org/show_bug.cgi?id=1174504
Andr� Werlang
participants (1)
-
bugzilla_noreply@suse.com