Insufficient privilege configuration for iputils-ping and iputils-clockdiff
孟敬姿
mengjingzi at iie.ac.cn
Thu Jan 4 03:24:05 UTC 2024
Hi!
I hope this email finds you well. We have been using iputils-ping and iputils-clockdiff and have identified some default capability configurations that we believe could be enhanced for better functionality. I wanted to bring these concerns to your attention for discussion and consideration.
iputils-ping:
Currently, ping is configured with CAP_NET_RAW, which generally suffices for most operations. However, we encountered an issue when using the ‘-m’ option to mark outgoing packets. It seems that the ability to tag outgoing packets requires CAP_NET_ADMIN as well. We have submitted a bug report at:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/2047507
iputils-clockdiff:
Clockdiff has a similar problem. While clockdiff is configured with CAP_NET_RAW, basic functions are not available for unprivileged users. CAP_SYS_NICE is needed as well. Details can be found at:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/2047508
Since ping and clockdiff chooses to use capabilities instead of superuser privileges (which is conducive to least privilege), maybe it is better to grant them enough capabilities to do the whole thing.
We are looking forward to any insights or feedback you may have on this matter. Thank you for your time
Best regards,
Jz
More information about the Ubuntu-devel-discuss
mailing list