network privileges of user nobody??? how to configure???
Hi all, I have a question regarding the rights of user nobody. It struck me today, that - after a couple of rpm updates - user nobody has restricted rights to access the outside network. Before the update "ping www.heise.de" as "nobody" gave me the ping of that host. Now, this is no longer the case: "ping: unknown host www.spiegel.de". However, every other user can do the ping. (Network is up, of course!) Where are these things configured? Any help appreciated, Michael
On Mon, 14 Oct 2002, Michael Seewald wrote:
Before the update "ping www.heise.de" as "nobody" gave me the ping of that host. Now, this is no longer the case: "ping: unknown host www.spiegel.de". However, every other user can do the ping. (Network is up, of course!)
Where are these things configured?
/etc/group - dialout - I got it, sorry for asking. Best regards, Michael
I just see this too after you reported it, but what do you mean with the config in /etc/group, I doesn't see there any restriction for nobody, and if a ping to one host is possible and to another not, that should be configured in a another way. Greets Thomas
Before the update "ping www.heise.de" as "nobody" gave me the ping of that host. Now, this is no longer the case: "ping: unknown host www.spiegel.de". However, every other user can do the ping. (Network is up, of course!)
Where are these things configured?
/etc/group - dialout - I got it, sorry for asking.
Best regards, Michael
-- TE Deutschland /\ eMail: thomas@tens.ath.cx c/o Thomas Eichhorn | | Tel: +49 (0) 571 4049761 Petershäger Weg 194 | | Fax: +49 (0) 571 4049760 32425 Minden \/ Mobil: +49 (0) 174 4570247
* Michael Seewald wrote on Mon, Oct 14, 2002 at 22:13 +0200:
On Mon, 14 Oct 2002, Michael Seewald wrote:
Before the update "ping www.heise.de" as "nobody" gave me the ping of that host. Now, this is no longer the case: "ping: unknown host www.spiegel.de". However, every other user can do the ping. (Network is up, of course!)
/etc/group - dialout - I got it, sorry for asking.
What the heck ping has to do with dialout?! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
It *does* have to do with the dialout group, at least on my system (maybe due to harden_suse and the "secure" permission stuff)? Please try a ping as user nobody and look if it works. For me, it does *only* if nobody is part of the dialout group. The second I delete nobody from dialout (/etc/group), it doesn't any longer. Maybe someone from the SuSE team can explain this? To be honest, I don't understand how (and where) this works myself. Should be interesting! =8, Thanks, Michael On Tue, 15 Oct 2002, Steffen Dettmer wrote:
* Michael Seewald wrote on Mon, Oct 14, 2002 at 22:13 +0200:
On Mon, 14 Oct 2002, Michael Seewald wrote:
Before the update "ping www.heise.de" as "nobody" gave me the ping of that host. Now, this is no longer the case: "ping: unknown host www.spiegel.de". However, every other user can do the ping. (Network is up, of course!)
/etc/group - dialout - I got it, sorry for asking.
What the heck ping has to do with dialout?!
The only special I know about ping is that without the sticky bit a normal (non-root) user can't open a socket to use it. -rwsr-xr-x 1 root root 29680 Sep 20 2001 /bin/ping Use "chmod a-s /bin/ping" and "chmod a+s /bin/ping" as root to change the sticky bit. When the sticky bit is removed a normal user gets the error "ping: icmp open socket: Operation not permitted". The error-message "ping: unknown host..." sounds more like an error in name-resolving in that very moment. Could you try the ping not with a DNS-name but with an IP (e.g. 193.99.144.71 for www.heise.de) or maybe you could try to ping 127.0.0.1 which should work as long the loopback-interface (lo) is up. My user and the user nobody are both not members of group dialout but can both use ping when the sticky bit is set. I think harden_suse removes some (or all?) sticky bits from binaries. Which owner-group belongs the ping-binary to user nobody calls on your system (ls -l `which ping`)? Does it look like my example above or is there something with dialout? -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216 On Wed, 16 Oct 2002, Michael Seewald wrote:
It *does* have to do with the dialout group, at least on my system (maybe due to harden_suse and the "secure" permission stuff)?
Please try a ping as user nobody and look if it works. For me, it does *only* if nobody is part of the dialout group. The second I delete nobody from dialout (/etc/group), it doesn't any longer.
Ups, the correct name for the (s)-bit ist SUID-bit not sticky bit (which is (t) ). -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216 On Wed, 16 Oct 2002, David Huecking wrote:
The only special I know about ping is that without the sticky bit a normal (non-root) user can't open a socket to use it. -rwsr-xr-x 1 root root 29680 Sep 20 2001 /bin/ping Use "chmod a-s /bin/ping" and "chmod a+s /bin/ping" as root to change the sticky bit.
On Wed, 16 Oct 2002, David Huecking wrote:
The only special I know about ping is that without the sticky bit a normal (non-root) user can't open a socket to use it. -rwsr-xr-x 1 root root 29680 Sep 20 2001 /bin/ping
That is set and has always been.
When the sticky bit is removed a normal user gets the error "ping: icmp open socket: Operation not permitted".
Right, but I didn't see that.
The error-message "ping: unknown host..." sounds more like an error in name-resolving in that very moment. Could you try the ping not with a DNS-name but with an IP (e.g. 193.99.144.71 for www.heise.de) or maybe you
Yes, that does it. Apparently, name resolution failed!!! Today, I noticed that these effects disappear when I change permissions (in yast) to "easy" and restart the pppd daemon. Apparently, SuSEconfig changes pppd to group dialout with a SUID bit. When the daemon is started with the new permissions it somehow brings up these effects. Strange! Michael
* Michael Seewald wrote on Wed, Oct 16, 2002 at 10:46 +0200:
Yes, that does it. Apparently, name resolution failed!!!
Today, I noticed that these effects disappear when I change permissions (in yast) to "easy" and restart the pppd daemon. Apparently, SuSEconfig changes pppd to group dialout with a SUID bit. When the daemon is started with the new permissions it somehow brings up these effects.
Well, going OT now... Do an strace of PING when it's not resolving. Maybe some permissions are screwed up. I could imagine such effects when having a /etc/resolv.conf readable for dialout only. Well, my PING (SuSE 7.0 I believe) isn't dropping it's UID0, so you would probably need a "---r-----" root.dialout /etc/resolv.conf or such. Ohh, and please send the strace to me (PM) and not to the list! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
This affect is not very strange. It's normal for SuSE-Linux. They do correct the ownership and chmod-bits according to /etc/permissions*. e.g. a "grep sbin/pppd /etc/permissions*" /etc/permissions.easy:/usr/sbin/pppd root.dialout 6754 /etc/permissions.paranoid:/usr/sbin/pppd root.dialout 0750 /etc/permissions.secure:/usr/sbin/pppd root.dialout 6750 So we see that only when using the easy permissions pppd is set SUID for the group dialout and a dialout could be triggered for name resolution by a normal user in the group dialout. All in all this has nothing to to with ping itself... Everything clear now?! ;-) -- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216 On Wed, 16 Oct 2002, Michael Seewald wrote:
The error-message "ping: unknown host..." sounds more like an error in name-resolving in that very moment. Could you try the ping not with a DNS-name but with an IP (e.g. 193.99.144.71 for www.heise.de) or maybe you
Yes, that does it. Apparently, name resolution failed!!!
Today, I noticed that these effects disappear when I change permissions (in yast) to "easy" and restart the pppd daemon. Apparently, SuSEconfig changes pppd to group dialout with a SUID bit. When the daemon is started with the new permissions it somehow brings up these effects.
Strange!
On Wed, 16 Oct 2002, David Huecking wrote:
This affect is not very strange. It's normal for SuSE-Linux. They do correct the ownership and chmod-bits according to /etc/permissions*. e.g. a "grep sbin/pppd /etc/permissions*"
Right.
So we see that only when using the easy permissions pppd is set SUID for the group dialout and a dialout could be triggered for name resolution by a normal user in the group dialout.
No, because user nobody didn't "trigger" any dialout. The host is permanently online! It's just that one user gets name resolution the other doesn't. Using IP addresses works always fine. Not strange? What sense does it make to disallow name resolution when every other aspect of networking is still fine??? Pretty strange to me.
All in all this has nothing to to with ping itself...
That was just an example.
Everything clear now?! ;-)
How 'bout a definite "maybe"? 8) Michael
participants (5)
-
David Huecking -
Michael Seewald -
Michael Seewald
-
Steffen Dettmer -
Thomas Eichhorn