[Bug 2089938] Re: iputils 3:20240905-1 doesn't work for unprivileged users
Simon Chopin
2089938 at bugs.launchpad.net
Tue Dec 10 15:42:36 UTC 2024
Note that while the range 0-65534 works for "normal" groups, there are
some use cases outside of that range besides the usual container
mapping, e.g. Active Directory users, so we can't change our default
value to it.
In the short term I will revert the setcap removal from iputils, but I'd
love to see the ping_group_range solution get solved at some point :/
For the record, iputils code change allowing for the drop of setcap aren't new, and were present in the package since around 2015:
https://github.com/iputils/iputils/commit/87dbb3a5db657d5eae6934707beaf0507980a1c3
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to iputils in Ubuntu.
https://bugs.launchpad.net/bugs/2089938
Title:
iputils 3:20240905-1 doesn't work for unprivileged users
Status in iputils package in Ubuntu:
New
Bug description:
iputils-ping 3:20240905-1 removed the setcap from the binary, under
the assumption that you don't need special privileges to open ICMP
sockets (as introduced in 2011 in the kernel). However, that only is
true if you have "net.ipv4.ping_group_range = 0 2147483647" (or
similar) in sysctl.
So far, we didn't configure this variable in Ubuntu, resulting in the
default value of "0 1", which only allows root to open those sockets.
However, that could/should change with the latest merge of linux-base,
which brought in linux-sysctl-defaults. That package ships
/usr/lib/sysctl.d/50-defaults, which has the following contents:
```
# System Request functionality of the kernel (SYNC)
#
# Use kernel.sysrq = 1 to allow all keys.
# See https://docs.kernel.org/admin-guide/sysrq.html for a list
# of values and keys.
kernel.sysrq = 0x01b6
# Append the PID to the core filename
kernel.core_uses_pid = 1
# Source route verification
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.*.rp_filter = 2
-net.ipv4.conf.all.rp_filter
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.*.accept_source_route = 0
-net.ipv4.conf.all.accept_source_route
# Promote secondary addresses when the primary address is removed
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.*.promote_secondaries = 1
-net.ipv4.conf.all.promote_secondaries
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by
# the kernel because of this definition in linux/include/net/ping.h:
# #define GID_T_MAX (((gid_t)~0U) >> 1)
# That's not so bad because values between 2^31 and 2^32-1 are reserved on
# systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary
-net.ipv4.ping_group_range = 0 2147483647
# Fair Queue CoDel packet scheduler to fight bufferbloat
-net.core.default_qdisc = fq_codel
# Enable hard and soft link protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Enable regular file and FIFO protection
fs.protected_regular = 2
fs.protected_fifos = 1
```
The problematic version of iputils-ping has a Recommends on linux-
sysctl-defaults, but that alone doesn't help since those settings are
only applied at boot time by systemd-sysctl.
That new package is already in systemd's Recommends (has been there
since Oracular, see bug 2089759).
In parallel, procps in Debian has removed /etc/sysctl.conf entirely,
and now also Recommends linux-sysctl-defaults.
To add to the fun, despite the systemd Recommends, linux-sysctl-
defaults isn't part of the current plucky LXD images (built 2 days
after that package was published in the release pocket).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/2089938/+subscriptions
More information about the foundations-bugs
mailing list