1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • setting sysctl net.ipv4.ping_group_range

    From Noah Meyerhans@21:1/5 to All on Mon Jan 2 21:30:01 2023
    There are several examples of packages installing files to
    /usr/lib/sysctl.d, but I haven't found any specific guidance on policies
    about what's appropriate for them. Since sysctl variables change the
    system behavior in a way that's not limited to the package changing the setting, and since the package in question (iputils-ping) is Priority: important and part of the default install, I won't want to make any
    changes without consulting here first.

    See bug #1008281 for context. [1]

    The proposal is to install /usr/lib/sysctl.d/iputils-ping.conf with the following content:
    net.ipv4.ping_group_range="0 2147483647"

    With that in place, unprivileged users are able to excute ping for both
    IPv4 and IPv6 targets without cap_net_raw (currently set as either a
    file-based attribute on the ping binary or acquired via setuid). But
    since that applies system-wide, not just to the ping binary, there may
    be objections.

    After applying this change, I believe it'd be appropriate to drop ping's setcap/setuid settings from postinst altogether, though I'd be open to
    other options. [2]

    noah

    1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008281
    2. https://salsa.debian.org/debian/iputils/-/blob/master/debian/iputils-ping.postinst

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Pentchev@21:1/5 to Noah Meyerhans on Mon Jan 2 21:50:01 2023
    On Mon, Jan 02, 2023 at 12:01:54PM -0800, Noah Meyerhans wrote:
    There are several examples of packages installing files to
    /usr/lib/sysctl.d, but I haven't found any specific guidance on policies about what's appropriate for them. Since sysctl variables change the
    system behavior in a way that's not limited to the package changing the setting, and since the package in question (iputils-ping) is Priority: important and part of the default install, I won't want to make any
    changes without consulting here first.
    [snip]
    After applying this change, I believe it'd be appropriate to drop ping's setcap/setuid settings from postinst altogether, though I'd be open to
    other options. [2]

    I personally would prefer giving the administrator a way to change that.
    Maybe add a low priority debconf question with a "ping is not setuid"
    default, then mention that debconf setting in a comment in the file that
    the package installs in the sysctl.d/ directory.

    Other than that, I think making ping not setuid is a great idea.

    G'luck,
    Peter

    --
    Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com
    PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmOzQzkACgkQZR7vsCUn 3xOokBAAzekGkGSPSpsTKlhslTBzmZg2CvmznEQYeiT6Puf21pTzoPDz0zRPvYO5 KebibdYSayRRhvSbL7gcGg1jh3Wbqg2SpxTxfkjJPG6Ze56iPHQPFlwhUlHXqBLv Nqe+UcRFTj5V4tnAB94spTAzCZUASxp4nNVIrPACV9VbJa+WV5Hov6KoL+NaV+3E ad+eeqS3ytxdz2xC5tTY+43pMXFyXYoWHB6QyNfFtAxRqC/tb6Nhu/+YQeZ63RtI YM4dQ9DsAmOHt73hrJFrGun2f6VD/nIPbtz47vUF06tLOxChpbfVg9HEAQvuwfV8 lMUnoJjOzndM70JA37r7lO+Tr2LFTpkwM2alN989+073l0OBY7UO4vDhAp/J/FFZ jFisviDo9118gfJCtlMwEO+/SVCVh/OjHNiYpWlE2RGHapdVHyQ3fItXN+/8AIGD NgTrualIbFMY4sxYRGMBkae2YXrm3OojgX7EYYIzZETsIUqnghLxDRCKOLg+3jt7 UHBZ6fUeEsu7I/YhiJBJUOkqHUtsNrCNEK+TrYZBPFTF/E+yDNXvMJMP+dIs1Mbb C/TkU8eRMp2AisJZP0tkjg+OnnrHHx3iUlp2EEBnzLTgYNGe7coLgJ/mptiyIKqb OBDS0IXTHBZxN1tJa+I3sw2vZQDRpL5HKcgukGGCBknG6qpdgI4=
    =doNX
    -
  • From Noah Meyerhans@21:1/5 to Marco d'Itri on Mon Jan 2 22:50:01 2023
    On Mon, Jan 02, 2023 at 10:11:38PM +0100, Marco d'Itri wrote:
    On Jan 02, Peter Pentchev <roam@ringlet.net> wrote:

    I personally would prefer giving the administrator a way to change that. Maybe add a low priority debconf question with a "ping is not setuid" default, then mention that debconf setting in a comment in the file that the package installs in the sysctl.d/ directory.
    Please don't. There are already way too many debconf questions and this
    one would be totally pointless: anybody who cares to change the default
    can just locally override the /usr/lib/sysctl.d/ file with a drop-in in /etc/sysctl.d/ .

    +1. I don't have any desire to add debconf to iputils-ping. I'd suggest
    the /etc/sysctl.d/ approach for admin overrides as well.

    noah

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco d'Itri@21:1/5 to Peter Pentchev on Mon Jan 2 22:20:01 2023
    On Jan 02, Peter Pentchev <roam@ringlet.net> wrote:

    I personally would prefer giving the administrator a way to change that. Maybe add a low priority debconf question with a "ping is not setuid" default, then mention that debconf setting in a comment in the file that
    the package installs in the sysctl.d/ directory.
    Please don't. There are already way too many debconf questions and this
    one would be totally pointless: anybody who cares to change the default
    can just locally override the /usr/lib/sysctl.d/ file with a drop-in in /etc/sysctl.d/ .

    Other than that, I think making ping not setuid is a great idea.
    ping is (generally) not setuid.

    --
    ciao,
    Marco

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCY7NIigAKCRDLPsM64d7X gTFpAP9do+afpPUkLMG0mIVrC6Wf99kxEtlII1tfGkqLt1p8kgEAxOfnhnyA24zx YZRMmux/i2dXhT+zypg+0NtqlN8Enwo=
    =L8/v
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?ISO-8859-1?Q?=C1ngel?=@21:1/5 to Noah Meyerhans on Sun Jan 15 02:40:01 2023
    On 2023-01-02 at 13:55 -0800, Noah Meyerhans wrote:
    I'm entirely happy to reassign this request to systemd and have the
    setting applied more broadly. The question that arises then is what
    to
    do about the file-level capabilities on the ping binary. Ideally we
    drop them entirely (including the setuid fallback), but when?

    I could leave things completely decoupled, and simply wait until
    systemd
    makes the change and then upload iputils and assume that anybody
    upgrading iputils is also upgrading systemd. That seems to be what
    Fedora did, according to the fedoraproject.org wiki cited above.
    Alternatives would seem to involve some level of versioned
    dependency,
    which doesn't feel right.

    noah


    Currently iputils-ping's postinst does (at configure):


    if command -v setcap > /dev/null; then
    if setcap cap_net_raw+ep /bin/ping; then
    chmod u-s /bin/ping
    else
    echo "Setcap failed on /bin/ping, falling back to setuid" >&2
    chmod u+s /bin/ping
    fi
    else
    echo "Setcap is not installed, falling back to setuid" >&2
    chmod u+s /bin/ping
    fi


    I would change that to:


    if sysctl -n net.ipv4.ping_group_range | grep -q -v '^1 0$'; then # N.B. this is a tab
    # No need for elevated rights for ping when ping_group_range feature is in use
    setcap '' /bin/ping 2> /dev/null || true
    chmod u-s /bin/ping
    elif command -v setcap > /dev/null; then
    # If we have setcap is installed, try setting cap_net_raw+ep,
    # which allows us to install our binaries without the setuid
    # bit.

    if setcap cap_net_raw+ep /bin/ping; then
    chmod u-s /bin/ping
    else
    echo "Setcap failed on /bin/ping, falling back to setuid" >&2
    chmod u+s /bin/ping
    fi
    else
    echo "No ping_group_range and setcap is not installed, falling back to setuid" >&2
    chmod u+s /bin/ping
    fi



    if ping_group_range is set ("1<tab>0" is the value when disabled, so
    anything else means that the feature is configured for some groups),
    then it disables capabilities and setuid.
    Else it goes the existing route.

    It is checking it *in the running kernel*, so if both iputils-ping and
    procps (or whatever package is dropping the sysctl) are upgraded at the
    same time, it would not detect until the *next* iputils upgrade after the system is upgraded.

    One might additionally check if there is a sysctl file there to enable the feature
    (the problem would still bepresent if it is upgraded at the same time with iputils-ping being upgraded *before* procps), but I think it's undesirable to leave
    a non-working program after the update (for some reason, procps postinst doesn't seem
    to automatically apply the newly dropped settings).

    This code would also do the right thing™ if the existing kernel lacked support for the
    feature, although this seems moot, as it has been there for more than a decade [1]. It
    might happen on kFreeBSD, if it's a non-standard kernel where such feature was kept out
    (which doesn't make much sense), or procps is not installed (despite being an 'important'
    package).

    Regards


    1- https://lwn.net/Articles/422330/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastian Blank@21:1/5 to All on Sun Jan 15 11:40:01 2023
    On Sun, Jan 15, 2023 at 02:35:06AM +0100, Ángel wrote:
    I would change that to:

    Please don't. If we change the distribution default for net.ipv4.ping_group_range, then ping should refrain from ever trying to
    check for it and never make the executable privileged.

    Bastian

    --
    There is a multi-legged creature crawling on your shoulder.
    -- Spock, "A Taste of Armageddon", stardate 3193.9

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Helmut Grohne@21:1/5 to Noah Meyerhans on Wed Apr 12 18:10:01 2023
    Hi,

    On Mon, Jan 02, 2023 at 12:01:54PM -0800, Noah Meyerhans wrote:
    See bug #1008281 for context. [1]

    The proposal is to install /usr/lib/sysctl.d/iputils-ping.conf with the following content:
    net.ipv4.ping_group_range="0 2147483647"

    With that in place, unprivileged users are able to excute ping for both
    IPv4 and IPv6 targets without cap_net_raw (currently set as either a file-based attribute on the ping binary or acquired via setuid). But
    since that applies system-wide, not just to the ping binary, there may
    be objections.

    As much as I like unprivileged operation, I think this change may expand privileges beyond what we expect. At present, ping limits an
    unprivileged user to a minimum spacing of 2ms and prevents a flood ping.
    Of course a user can just run multiple ping processes in parallel to
    overcome this limitation.

    I'm posting this, because I think this argument as been missed in the discussion. I consider this argument to be vaguely weak and not
    significantly affecting the course of action.

    Helmut

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco d'Itri@21:1/5 to Helmut Grohne on Wed Apr 12 21:40:01 2023
    On Apr 12, Helmut Grohne <helmut@subdivi.de> wrote:

    As much as I like unprivileged operation, I think this change may expand privileges beyond what we expect. At present, ping limits an
    unprivileged user to a minimum spacing of 2ms and prevents a flood ping.
    Of course a user can just run multiple ping processes in parallel to
    overcome this limitation.
    Real life DoS attacks from unpriviledged account are made with udp.pl
    and they are already quite damaging, so I do not believe that adding an
    ICMP option would make the situation worse.

    --
    ciao,
    Marco

    -----BEGIN PGP SIGNATURE-----

    iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZDcHngAKCRDLPsM64d7X gXrOAPwL1950+uMjVRl30AxiehJ8bfy/0Mjnjs/K5LIQuM7IvAD9GE7iXiHTI0tQ z8EBWy+RsRE4CaLrWLsFE27zlHX3hQY=
    =8fhp
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)