/usr/bin/ping is missing capabilities in Core Update 157

Getting Started with IPFire Updates Trouble
1

Hi all,
I have a FHEM installation on my firewall running, which is checking devices by a ping.
Since I have updated to the core 157, the ping command get the error message “ping: socket: Operation not permitted”

The user “root” is allowed to run a ping!

How can I adjust the permission of the specific user, which is running for my fhem instance ?

Best regards
R.

2

Hi,

i solved it with “chmod u+s /bin/ping”

I hope this is not a big security leak.

Best regards
R.

3

If you have an additional user then the best option is to use sudo with that user for running commands that require root permissions.
That way you don’t have to change the permissions.

4

Hi,

oh well, this looks like another bug that slipped through testing in Core Update 157. :expressionless:

In this commit, we removed the SUID bit from /usr/bin/ping, which /bin/ping symlinks to, as the binary does not need to be executed as root, it just needs the appropriate capabilities.

However, it looks like these capabilities did not make it onto an upgraded system:

[root@maverick ~]# getcap /usr/bin/ping
[root@maverick ~]# su -s /bin/bash nobody
bash-5.1$ ping 127.0.0.1
ping: socket: Operation not permitted
bash-5.1$ 
exit

You can set them manually, hence causing ping to run without having a full SUID bit set again:

[root@maverick ~]# setcap cap_net_raw+ep /usr/bin/ping
[root@maverick ~]# su -s /bin/bash nobody
bash-5.1$ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.102 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 0.102/0.111/0.120/0.009 ms
bash-5.1$ 
exit
[root@maverick ~]# getcap /usr/bin/ping 
/usr/bin/ping cap_net_raw=ep

I will raise a bug for this. EDIT: Done, please refer to bug #12652. Sorry for the inconvenience.

Thanks, and best regards,
Peter Müller

2 Likes
5

Hi,

thanks Peter for the really reason.

I change the configuration in the way you descripted and marked it as Solution.

Best regards
R.

6

Hi,

just for the records: This issue has been fixed in Core Update 158. :slight_smile:

Thanks, and best regards,
Peter Müller