Mail archive
alpine-aports

Re: [alpine-aports] Enable non-root ping by default?

From: Isaac Dunham <ibid.ag_at_gmail.com>
Date: Fri, 22 Apr 2016 19:23:55 -0700

On Fri, Apr 22, 2016 at 05:04:10PM +0200, Natanael Copa wrote:
> On Thu, 21 Apr 2016 21:46:18 -0700
> Isaac Dunham <ibid.ag_at_gmail.com> wrote:
>
> > Hello,
> > I've noticed that, in theory, our busybox now supports non-root ping.
> >
> > The upgrade does have a couple hitches:
> > - bbsuid has disabled support for 'ping', but the upgrade leaves the old
> > ping->bbsuid symlink in place.

This would be solveable via a block like this in
main/busybox/busybox.post_upgrade:

if [ -L /bin/ping ] && [ $(readlink /bin/ping) = "/bin/bbsuid" ] ; then
        rm /bin/ping
fi

busybox --install -s should add a new, correct, link.

> > - We do not have equivalent functionality after fixing that, because
> > bbsuid allowed all users to use ping, while the Linux kernel disables
> > DGRAM ping via this sysctl setting:
> > net.ipv4.ping_group_range=1 0
> >
> > It took a bit of digging to figure out what that means, so explanation:
> > net.ipv4.ping_group_range is a range, specifying minimum and maximum
> > group ids allowed to use DGRAM ping.
> > The first field is the minimum; if it exceeds the maximum, the feature is
> > completely disabled.
> >
> > Ideally, I'd like to see a default of
> > net.ipv4.ping_group_range=28 28
> > set in /etc/sysctl.d/00-alpine.conf,
> > along with an explanation of what that does.
> > This would make users in group 'netdev' able to ping.
>
> I think this was an excellent idea.
>
> The only thing that I am in doubt with is 'netdev' is the right group
> for this.
>
> Maybe we could even add create a group called 'ping'? Or create 'ping'
> group with gid 999 and then use range 999 and upwards? That way all
> users could ping by default and system users (daemons) that may need it
> can be added to the 'ping' group.

I'd figured that
-netdev is used for network administration (on non-Alpine systems,
wpa_supplicant, wicd, network mangler, etc. all allow group netdev
to configure things)
-users who need 'ping' pretty much overlaps with those troubleshooting
networking (I'm not sure about this, though!)
-allowing all users access to DGRAM ping could (theoretically) expose a
bug, which is why it's disabled by default
-allowing n upwards will result in some higher-gid daemons getting ping
permissions (for example, 'nogroup'/'nobody', any daemon that has a bug
in the install scripts such that it adds a non-system group).

I'm now suspecting that a 'ping' group may be desireable, but I have
reservations about 999 up.

Thanks,
Isaac Dunham


---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Fri Apr 22 2016 - 19:23:55 GMT