X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 37EDCDC9060 for ; Fri, 22 Apr 2016 15:04:16 +0000 (UTC) Received: from newmail.tetrasec.net (unknown [74.117.189.117]) by mail.alpinelinux.org (Postfix) with ESMTP id 16F26DC00EC for ; Fri, 22 Apr 2016 15:04:16 +0000 (UTC) Received: from ncopa-desktop.alpinelinux.org (229.63.200.37.customer.cdi.no [37.200.63.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by newmail.tetrasec.net (Postfix) with ESMTPSA id 568835A0883; Fri, 22 Apr 2016 15:04:15 +0000 (GMT) Date: Fri, 22 Apr 2016 17:04:10 +0200 From: Natanael Copa To: Isaac Dunham Cc: alpine-aports@lists.alpinelinux.org Subject: Re: [alpine-aports] Enable non-root ping by default? Message-ID: <20160422170410.4e4f9a8b@ncopa-desktop.alpinelinux.org> In-Reply-To: <20160422044617.GA12521@newbook> References: <20160422044617.GA12521@newbook> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.28; x86_64-alpine-linux-musl) X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP On Thu, 21 Apr 2016 21:46:18 -0700 Isaac Dunham wrote: > Hello, > I've noticed that, in theory, our busybox now supports non-root ping. > > The upgrade does have a couple hitches: > - bbsuid has disabled support for 'ping', but the upgrade leaves the old > ping->bbsuid symlink in place. > > - We do not have equivalent functionality after fixing that, because > bbsuid allowed all users to use ping, while the Linux kernel disables > DGRAM ping via this sysctl setting: > net.ipv4.ping_group_range=1 0 > > It took a bit of digging to figure out what that means, so explanation: > net.ipv4.ping_group_range is a range, specifying minimum and maximum > group ids allowed to use DGRAM ping. > The first field is the minimum; if it exceeds the maximum, the feature is > completely disabled. > > Ideally, I'd like to see a default of > net.ipv4.ping_group_range=28 28 > set in /etc/sysctl.d/00-alpine.conf, > along with an explanation of what that does. > This would make users in group 'netdev' able to ping. I think this was an excellent idea. The only thing that I am in doubt with is 'netdev' is the right group for this. Maybe we could even add create a group called 'ping'? Or create 'ping' group with gid 999 and then use range 999 and upwards? That way all users could ping by default and system users (daemons) that may need it can be added to the 'ping' group. -nc --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---