On Fri, Apr 22, 2016 at 05:04:10PM +0200, Natanael Copa wrote:
> On Thu, 21 Apr 2016 21:46:18 -0700
> Isaac Dunham <ibid.ag_at_gmail.com> wrote:
> > Hello,
> > I've noticed that, in theory, our busybox now supports non-root ping.
> > The upgrade does have a couple hitches:
> > - bbsuid has disabled support for 'ping', but the upgrade leaves the old
> > ping->bbsuid symlink in place.
This would be solveable via a block like this in
if [ -L /bin/ping ] && [ $(readlink /bin/ping) = "/bin/bbsuid" ] ; then
busybox --install -s should add a new, correct, link.
> > - We do not have equivalent functionality after fixing that, because
> > bbsuid allowed all users to use ping, while the Linux kernel disables
> > DGRAM ping via this sysctl setting:
> > net.ipv4.ping_group_range=1 0
> > It took a bit of digging to figure out what that means, so explanation:
> > net.ipv4.ping_group_range is a range, specifying minimum and maximum
> > group ids allowed to use DGRAM ping.
> > The first field is the minimum; if it exceeds the maximum, the feature is
> > completely disabled.
> > Ideally, I'd like to see a default of
> > net.ipv4.ping_group_range=28 28
> > set in /etc/sysctl.d/00-alpine.conf,
> > along with an explanation of what that does.
> > This would make users in group 'netdev' able to ping.
> I think this was an excellent idea.
> The only thing that I am in doubt with is 'netdev' is the right group
> for this.
> Maybe we could even add create a group called 'ping'? Or create 'ping'
> group with gid 999 and then use range 999 and upwards? That way all
> users could ping by default and system users (daemons) that may need it
> can be added to the 'ping' group.
I'd figured that
-netdev is used for network administration (on non-Alpine systems,
wpa_supplicant, wicd, network mangler, etc. all allow group netdev
to configure things)
-users who need 'ping' pretty much overlaps with those troubleshooting
networking (I'm not sure about this, though!)
-allowing all users access to DGRAM ping could (theoretically) expose a
bug, which is why it's disabled by default
-allowing n upwards will result in some higher-gid daemons getting ping
permissions (for example, 'nogroup'/'nobody', any daemon that has a bug
in the install scripts such that it adds a non-system group).
I'm now suspecting that a 'ping' group may be desireable, but I have
reservations about 999 up.
Received on Fri Apr 22 2016 - 19:23:55 GMT