X-Original-To: alpine-aports@mail.alpinelinux.org Delivered-To: alpine-aports@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id 9BC9BDC1506 for ; Sat, 23 Apr 2016 02:24:01 +0000 (UTC) Received: from mail-pa0-f65.google.com (mail-pa0-f65.google.com [209.85.220.65]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 5AF2ADC0A4E for ; Sat, 23 Apr 2016 02:24:01 +0000 (UTC) Received: by mail-pa0-f65.google.com with SMTP id i5so9862900pag.3 for ; Fri, 22 Apr 2016 19:24:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=9J9b/18AGnJ4taaRmz+/MZzq4zvwLvMO3u4Bjhos1HQ=; b=zfFOX9vc7Hpi6helCc1cjvHIxl5bMxXInssOiWjCVWpdsKkolGb7n3NrfMuxkOT/Zw dBDseUBEJzd9keVz4H9+YKRqtMv2ldG8gNbSRB4r3kw7FfbYEaOyZAPkKUxt6TEngfuF QL29dnX499uYqnjdVzH4Dfxq1EXTPEOQrmmAtJrVj7C5c809A/KNFnA/xX4d5O0lpBge TGcatry6FYWzYpBbtgKxbWuGP4ERrLzazkBIItmRDLv/5DB/hNpu2ud6F7UGB+WOIJ5n TtiiHr1QTuASicv7c1s6FhHKglB5PihU8qsjN47qJppyqp4g1ydHBqaPlZnvNQ9EhVw6 oruQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=9J9b/18AGnJ4taaRmz+/MZzq4zvwLvMO3u4Bjhos1HQ=; b=MY5+P5BeD/MIEvzvsTkwSXrk4GmStDbzJnOJpllKODObRtanY6rwv9GwDL4RdbU6cf zV0uWrlY5hOhx88Ly4ROWLKzR8KGY3tl+WTDBejUseEK2W5j2hKS0sa7NikXEJklz5Pe Ew6pM4fridsgrQjjdLxjtDC55IPJa0Y6lCTV5cOOEIsIwc+1bYggmQYKX2tautOGzJmY Yinb8PF+OREpwmF1vddvex3X7eWyHaZYPx/hlMO51gfVVfG3TvtLPdiwaK6qpWcjx/dV DJwcxy9lTCHJmtSBH3f1XuH6n3Q+nsweJcJoobBJqPII1gQQQ3h4pwRM0AmUuSKY8PaB MtSw== X-Gm-Message-State: AOPr4FU/xUSAg3a9AEvcn08OEyhaD7/1IEbqUB2MOqcpT9f3J6RTsUcvZhz0N8ux+EeWTA== X-Received: by 10.66.175.110 with SMTP id bz14mr32966345pac.41.1461378240368; Fri, 22 Apr 2016 19:24:00 -0700 (PDT) Received: from newbook ([50.0.225.71]) by smtp.gmail.com with ESMTPSA id ff2sm12365946pac.15.2016.04.22.19.23.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Apr 2016 19:23:59 -0700 (PDT) Date: Fri, 22 Apr 2016 19:23:55 -0700 From: Isaac Dunham To: Natanael Copa Cc: alpine-aports@lists.alpinelinux.org Subject: Re: [alpine-aports] Enable non-root ping by default? Message-ID: <20160423022354.GA15804@newbook> References: <20160422044617.GA12521@newbook> <20160422170410.4e4f9a8b@ncopa-desktop.alpinelinux.org> X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160422170410.4e4f9a8b@ncopa-desktop.alpinelinux.org> User-Agent: Mutt/1.6.0 (2016-04-01) X-Virus-Scanned: ClamAV using ClamSMTP On Fri, Apr 22, 2016 at 05:04:10PM +0200, Natanael Copa wrote: > On Thu, 21 Apr 2016 21:46:18 -0700 > Isaac Dunham wrote: > > > Hello, > > I've noticed that, in theory, our busybox now supports non-root ping. > > > > The upgrade does have a couple hitches: > > - bbsuid has disabled support for 'ping', but the upgrade leaves the old > > ping->bbsuid symlink in place. This would be solveable via a block like this in main/busybox/busybox.post_upgrade: if [ -L /bin/ping ] && [ $(readlink /bin/ping) = "/bin/bbsuid" ] ; then rm /bin/ping fi busybox --install -s should add a new, correct, link. > > - We do not have equivalent functionality after fixing that, because > > bbsuid allowed all users to use ping, while the Linux kernel disables > > DGRAM ping via this sysctl setting: > > net.ipv4.ping_group_range=1 0 > > > > It took a bit of digging to figure out what that means, so explanation: > > net.ipv4.ping_group_range is a range, specifying minimum and maximum > > group ids allowed to use DGRAM ping. > > The first field is the minimum; if it exceeds the maximum, the feature is > > completely disabled. > > > > Ideally, I'd like to see a default of > > net.ipv4.ping_group_range=28 28 > > set in /etc/sysctl.d/00-alpine.conf, > > along with an explanation of what that does. > > This would make users in group 'netdev' able to ping. > > I think this was an excellent idea. > > The only thing that I am in doubt with is 'netdev' is the right group > for this. > > Maybe we could even add create a group called 'ping'? Or create 'ping' > group with gid 999 and then use range 999 and upwards? That way all > users could ping by default and system users (daemons) that may need it > can be added to the 'ping' group. I'd figured that -netdev is used for network administration (on non-Alpine systems, wpa_supplicant, wicd, network mangler, etc. all allow group netdev to configure things) -users who need 'ping' pretty much overlaps with those troubleshooting networking (I'm not sure about this, though!) -allowing all users access to DGRAM ping could (theoretically) expose a bug, which is why it's disabled by default -allowing n upwards will result in some higher-gid daemons getting ping permissions (for example, 'nogroup'/'nobody', any daemon that has a bug in the install scripts such that it adds a non-system group). I'm now suspecting that a 'ping' group may be desireable, but I have reservations about 999 up. Thanks, Isaac Dunham --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---