[Bug 1140994] New: iputils: Add permissions for arping and clockdiff

bugzilla_noreply＠novell.com

10 Jul 2019 10 Jul '19

10:11

http://bugzilla.suse.com/show_bug.cgi?id=1140994 Bug ID: 1140994 Summary: iputils: Add permissions for arping and clockdiff Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: petr.vorel@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Permissions should be the same as for ping: root:root 0755 +capabilities cap_net_raw=p PR solving this was prepared (fixing more than this bug): https://github.com/openSUSE/permissions/pull/24 -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 2.4 KB)

Show replies by date

bugzilla_noreply＠novell.com

10 Jul 10 Jul

10:22

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for arping and clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c1 Matthias Gerstner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com Summary|iputils: Add permissions |AUDIT-0: iputils: |for arping and clockdiff |cap_net_raw=p capability | |for arping and clockdiff --- Comment #1 from Matthias Gerstner --- Do you have some added context on why these capabilities are necessary now? Have the tools only been available to root until now? A quick test seems to suggest just that. Adding new privileges will need a code review, however. I'm changing this bug into an AUDIT bug and a member of the security team will look into it. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:23

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for arping and clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c2 Malte Kraus changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |malte.kraus@suse.com --- Comment #2 from Malte Kraus --- We can't allow arping - it can be used for ARP poisoning attacks. Its own man-page explicitly warns not to allow it for unprivileged users. clockdiff should be acceptable, assuming there are no issues with its code. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:16

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for arping and clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c3 --- Comment #3 from Petr Vorel --- Thanks for an input. I'll remove (In reply to Matthias Gerstner from comment #1)

...

Do you have some added context on why these capabilities are necessary now? Have the tools only been available to root until now? A quick test seems to suggest just that. Yes.

...

Adding new privileges will need a code review, however. I'm changing this bug into an AUDIT bug and a member of the security team will look into it.

OK, I'll remove this from https://github.com/openSUSE/permissions/pull/24 and create new one for it. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:26

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for arping and clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c4 --- Comment #4 from Petr Vorel --- Created separate PR https://github.com/openSUSE/permissions/pull/25 where adding capability only for clockdiff. Matthias, thanks for handling the audit. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Jul 11 Jul

09:28

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c5 Malte Kraus changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Assignee|security-team@suse.de |malte.kraus@suse.com Summary|AUDIT-0: iputils: |AUDIT-0: iputils: |cap_net_raw=p capability |cap_net_raw=p capability |for arping and clockdiff |for clockdiff --- Comment #5 from Malte Kraus --- I'll have a look. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:46

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c6 Malte Kraus changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #6 from Malte Kraus --- clockdiff is fine, I merged the PR and sent a request to update the package. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Jul 12 Jul

10:00

New subject: [Bug 1140994] AUDIT-0: iputils: cap_net_raw=p capability for clockdiff

http://bugzilla.suse.com/show_bug.cgi?id=1140994 http://bugzilla.suse.com/show_bug.cgi?id=1140994#c7 --- Comment #7 from Swamp Workflow Management --- This is an autogenerated message for OBS integration: This bug (1140994) was mentioned in https://build.opensuse.org/request/show/714806 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.

1760

Age (days ago)

1762

Last active (days ago)

List overview

Download

7 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 1140994] New: iputils: Add permissions for arping and clockdiff

tags

participants (1)