X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id D332DDC006D for ; Sun, 8 May 2016 21:42:38 +0000 (UTC) Received: from mail-pa0-f65.google.com (mail-pa0-f65.google.com [209.85.220.65]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 936BBDC0065 for ; Sun, 8 May 2016 21:42:38 +0000 (UTC) Received: by mail-pa0-f65.google.com with SMTP id i5so14534744pag.3 for ; Sun, 08 May 2016 14:42:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=MnRS8NlMOq405R1rJyodfEXSh4H02NewJJIT0vPCdJE=; b=mLvzsi2fW9W47BDYNvzrCPZsTixIWoD/kkdcnHRWCnySqgqNo2mKmZXle8XWq8tUB0 zI2g61sZCr4KwPhinK+mzFHN74Tmx1hc+63+H/ErIBJc0m/4O5AF3Wo51dkC2ch4Nvwv xb/BMl53EdqXTMlANBuneMsE2+n1vuYwgqjKaT57d5CarDi7CvjQ1Nr9jzg8aYgkWxiF toEMEqSStq6kWA6JNyriVR1R3OQfosgN8kQCUhimXTZhN4+gPcATeLVzZrKLYHBmbG3b 2uSVrMB6jT9VwavoqV13daC9+gxjqVX9NjNpsGnu80jn9Vpj7fSrnLho/oXoOnS9UJBQ c7Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=MnRS8NlMOq405R1rJyodfEXSh4H02NewJJIT0vPCdJE=; b=TkSBzZieAAJVYH1EKJZC9siT5nZiz/DaZ3x1ZvaSGgHdfMehjQriLlQcVsIoliEpxs tj7nNRayFLoTGgGmIbuKzMGU1AnD3S2RpoP+BpTxbUUbWpKdHIFmbsHlbDD4TCspVO9q NwkwyAyT0Z9rpgvS/6G6JEpZ7PyLxIj5T9jNCQ1HxqeZfZSbD9tR0NRsYVXPod+6TGIV G7gMBh7e2FXES0cQsWizieSWwTfoOBHLKrhxoKi6DSQukJXyjGjaloJvonjBrH1ieNQw 8Pchswx0Em9phBgOeoW6dv4OsCN4sCvWBoNeuAuiM33EdX+IaW1AT48xNBPUSecedZOb KoIQ== X-Gm-Message-State: AOPr4FV8RNEAn+WW6ow22mzdmJ3o8QNXYK9CEdXap8FzKvP+v7XLYmEopxDyNSWgYuiVKQ== X-Received: by 10.67.22.129 with SMTP id hs1mr45713327pad.105.1462743757807; Sun, 08 May 2016 14:42:37 -0700 (PDT) Received: from newbook ([50.0.225.71]) by smtp.gmail.com with ESMTPSA id a14sm35112917pfc.57.2016.05.08.14.42.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 May 2016 14:42:37 -0700 (PDT) Date: Sun, 8 May 2016 14:42:32 -0700 From: Isaac Dunham To: Christian Kampka Cc: Alba Pompeo , alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] ping: ping is not a valid applet Message-ID: <20160508214231.GA10993@newbook> References: <20160508200757.GA10522@newbook> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0 (2016-04-01) X-Virus-Scanned: ClamAV using ClamSMTP On Sun, May 08, 2016 at 08:58:06PM +0000, Christian Kampka wrote: > You should be able to use ping as a non-root user by setting > the ping_group_range in sys/net/ipv4 to the appropriate group(s). > See 'man 7 icmp' for details. Some settings are also shown in the comment in the patch. > Maybe we should figure out a sensible default we can supply with an > alpine-base installation. My initial suggestion (based on what I do locally) was to allow group 'netdev' alone to use ICMP_ECHO. ncopa suggested adding a 'ping' group with gid=999, and allow 999+ to use ping. The one caveat here is that some daemons use groups nobody/nogroup (gid=65533/65534), and it seems rather senseless for a daemon to *gain* the ability to use ICMP_ECHO by dropping privileges if there does turn out to be a vulnerability there; nobody:nogroup is supposed to indicate that a daemon has no need for any extra privileges. Similarly, 4294967294 is used as the anonymous unauthenticated user in some NFS implementations, so permitting that might be undesireable. For reference, on Debian, gids from 60,000 to 64,999 are reserved for packages; if we were to parallel Debian's policy, a sensible default would be 999-59999. > Alba Pompeo schrieb am So., 8. Mai 2016 um 22:31 Uhr: > > > Nice workaround for now, thanks. > > I hope in the future it works on non-root user accounts too. > > > > On Sun, May 8, 2016 at 5:07 PM, Isaac Dunham wrote: > > > On Sun, May 08, 2016 at 01:36:17PM -0300, Alba Pompeo wrote: > > >> I'm on edge and receive this message when trying to ping an IP. > > >> ping: ping is not a valid applet > > >> Is there a fix? > > >> Thanks. > > >> Ciao. > > > > > > This is an issue I mentioned previously, where bbsuid no longer > > recognizes > > > ping as a valid command, but the symlink has not been updated to point to > > > busybox. > > > > > > Workaround: > > > rm -f /bin/ping && /bin/busybox --install -s > > > > > > Fix: > > > See attached patch. > > > > > > The sysctl settings shown are disabled/netdev (gid=28) only/everyone. > > > > > > HTH, > > > Isaac Dunham > > > > > > --- > > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > > Help: alpine-devel+help@lists.alpinelinux.org > > --- > > > > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---