Hello,
I've noticed that, in theory, our busybox now supports non-root ping.

The upgrade does have a couple hitches:
- bbsuid has disabled support for 'ping', but the upgrade leaves the old
ping->bbsuid symlink in place.

- We do not have equivalent functionality after fixing that, because
bbsuid allowed all users to use ping, while the Linux kernel disables
DGRAM ping via this sysctl setting:
 net.ipv4.ping_group_range=1 0

It took a bit of digging to figure out what that means, so explanation:
net.ipv4.ping_group_range is a range, specifying minimum and maximum
group ids allowed to use DGRAM ping.
The first field is the minimum; if it exceeds the maximum, the feature is
completely disabled.

Ideally, I'd like to see a default of
net.ipv4.ping_group_range=28 28
set in /etc/sysctl.d/00-alpine.conf,
along with an explanation of what that does.
This would make users in group 'netdev' able to ping.

Thanks,
Isaac Dunham


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

On Thu, 21 Apr 2016 21:46:18 -0700
Isaac Dunham <ibid.ag@gmail.com> wrote:

> Hello,
> I've noticed that, in theory, our busybox now supports non-root ping.
> 
> The upgrade does have a couple hitches:
> - bbsuid has disabled support for 'ping', but the upgrade leaves the old
> ping->bbsuid symlink in place.
> 
> - We do not have equivalent functionality after fixing that, because
> bbsuid allowed all users to use ping, while the Linux kernel disables
> DGRAM ping via this sysctl setting:
>  net.ipv4.ping_group_range=1 0
> 
> It took a bit of digging to figure out what that means, so explanation:
> net.ipv4.ping_group_range is a range, specifying minimum and maximum
> group ids allowed to use DGRAM ping.
> The first field is the minimum; if it exceeds the maximum, the feature is
> completely disabled.
> 
> Ideally, I'd like to see a default of
> net.ipv4.ping_group_range=28 28
> set in /etc/sysctl.d/00-alpine.conf,
> along with an explanation of what that does.
> This would make users in group 'netdev' able to ping.

I think this was an excellent idea.

The only thing that I am in doubt with is 'netdev' is the right group
for this.

Maybe we could even add create a group called 'ping'? Or create 'ping'
group with gid 999 and then use range 999 and upwards? That way all
users could ping by default and system users (daemons) that may need it
can be added to the 'ping' group.

-nc


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

On Fri, Apr 22, 2016 at 05:04:10PM +0200, Natanael Copa wrote:
> On Thu, 21 Apr 2016 21:46:18 -0700
> Isaac Dunham <ibid.ag@gmail.com> wrote:
> 
> > Hello,
> > I've noticed that, in theory, our busybox now supports non-root ping.
> > 
> > The upgrade does have a couple hitches:
> > - bbsuid has disabled support for 'ping', but the upgrade leaves the old
> > ping->bbsuid symlink in place.

This would be solveable via a block like this in
main/busybox/busybox.post_upgrade:

if [ -L /bin/ping ] && [ $(readlink /bin/ping) = "/bin/bbsuid" ] ; then
	rm /bin/ping
fi

busybox --install -s should add a new, correct, link.

> > - We do not have equivalent functionality after fixing that, because
> > bbsuid allowed all users to use ping, while the Linux kernel disables
> > DGRAM ping via this sysctl setting:
> >  net.ipv4.ping_group_range=1 0
> > 
> > It took a bit of digging to figure out what that means, so explanation:
> > net.ipv4.ping_group_range is a range, specifying minimum and maximum
> > group ids allowed to use DGRAM ping.
> > The first field is the minimum; if it exceeds the maximum, the feature is
> > completely disabled.
> > 
> > Ideally, I'd like to see a default of
> > net.ipv4.ping_group_range=28 28
> > set in /etc/sysctl.d/00-alpine.conf,
> > along with an explanation of what that does.
> > This would make users in group 'netdev' able to ping.
> 
> I think this was an excellent idea.
> 
> The only thing that I am in doubt with is 'netdev' is the right group
> for this.
> 
> Maybe we could even add create a group called 'ping'? Or create 'ping'
> group with gid 999 and then use range 999 and upwards? That way all
> users could ping by default and system users (daemons) that may need it
> can be added to the 'ping' group.

I'd figured that
-netdev is used for network administration (on non-Alpine systems,
wpa_supplicant, wicd, network mangler, etc. all allow group netdev
to configure things)
-users who need 'ping' pretty much overlaps with those troubleshooting
networking (I'm not sure about this, though!)
-allowing all users access to DGRAM ping could (theoretically) expose a
bug, which is why it's disabled by default
-allowing n upwards will result in some higher-gid daemons getting ping
permissions (for example, 'nogroup'/'nobody', any daemon that has a bug
in the install scripts such that it adds a non-system group).

I'm now suspecting that a 'ping' group may be desireable, but I have
reservations about 999 up.

Thanks,
Isaac Dunham


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---