[Bug 1703649] Re: Traceroute needs net_admin capability for unknown reason
Vincas Dargis
1703649 at bugs.launchpad.net
Wed Jul 12 17:27:22 UTC 2017
Added systemd because:
# apt-cache show libnss-resolve | fgrep Source
Source: systemd
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1703649
Title:
Traceroute needs net_admin capability for unknown reason
Status in systemd package in Ubuntu:
New
Status in traceroute package in Ubuntu:
New
Bug description:
With help of AppArmor on 17.04 and 17.10 I've discovered that
traceroute needs net_admin capabilities.
My plan is to update [0] AppArmor profile to fix various DENIED
messages in syslog/audit for traceroute, though I am not sure about
allowing, or denying, net_admin capability.
Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE:
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
What is interesting, that traceroute developer does not recall
changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this
issue does not reproduce either.
Could it be some Ubuntu-specific patch in the works? It seems that
traceroute works OK without net_admin...
Thanks!
[0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
[1] https://sourceforge.net/p/traceroute/mailman/message/35927818/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1703649/+subscriptions
More information about the foundations-bugs
mailing list