Mail archive
alpine-devel

Re: [alpine-devel] ping: ping is not a valid applet

From: Isaac Dunham <ibid.ag_at_gmail.com>
Date: Sun, 8 May 2016 14:42:32 -0700

On Sun, May 08, 2016 at 08:58:06PM +0000, Christian Kampka wrote:
> You should be able to use ping as a non-root user by setting
> the ping_group_range in sys/net/ipv4 to the appropriate group(s).
> See 'man 7 icmp' for details.

Some settings are also shown in the comment in the patch.

> Maybe we should figure out a sensible default we can supply with an
> alpine-base installation.

My initial suggestion (based on what I do locally) was to allow group
'netdev' alone to use ICMP_ECHO.
ncopa suggested adding a 'ping' group with gid=999, and allow 999+ to
use ping.
The one caveat here is that some daemons use groups nobody/nogroup
(gid=65533/65534), and it seems rather senseless for a daemon to *gain*
the ability to use ICMP_ECHO by dropping privileges if there does turn
out to be a vulnerability there; nobody:nogroup is supposed to indicate
that a daemon has no need for any extra privileges.
Similarly, 4294967294 is used as the anonymous unauthenticated user in
some NFS implementations, so permitting that might be undesireable.

For reference, on Debian, gids from 60,000 to 64,999 are reserved for
packages; if we were to parallel Debian's policy, a sensible default
would be 999-59999.



> Alba Pompeo <albapompeo_at_gmail.com> schrieb am So., 8. Mai 2016 um 22:31 Uhr:
>
> > Nice workaround for now, thanks.
> > I hope in the future it works on non-root user accounts too.
> >
> > On Sun, May 8, 2016 at 5:07 PM, Isaac Dunham <ibid.ag_at_gmail.com> wrote:
> > > On Sun, May 08, 2016 at 01:36:17PM -0300, Alba Pompeo wrote:
> > >> I'm on edge and receive this message when trying to ping an IP.
> > >> ping: ping is not a valid applet
> > >> Is there a fix?
> > >> Thanks.
> > >> Ciao.
> > >
> > > This is an issue I mentioned previously, where bbsuid no longer
> > recognizes
> > > ping as a valid command, but the symlink has not been updated to point to
> > > busybox.
> > >
> > > Workaround:
> > > rm -f /bin/ping && /bin/busybox --install -s
> > >
> > > Fix:
> > > See attached patch.
> > >
> > > The sysctl settings shown are disabled/netdev (gid=28) only/everyone.
> > >
> > > HTH,
> > > Isaac Dunham
> >
> >
> > ---
> > Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> > Help: alpine-devel+help_at_lists.alpinelinux.org
> > ---
> >
> >


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sun May 08 2016 - 14:42:32 GMT