I was browsing through the code for ping form iputils package for Linux.
I noticed that ping uses raw sockets SOCK_RAW
, which any userspace application requires root privilege to use.
How do the developers of Linux distros manage to provide the ping command for non-root users ?
ping needs to generate and receive ICMP packets, and usually that's done using "raw sockets" – a feature limited to root (cap_net_raw) because it could also be abused to sniff and disrupt other traffic on the system.
sudo (superuser do) allows you to configure non-root users to run root level commands without being root.
Depending on the tasks that the installer completes, a non-root user can create a profile, start WebSphere Application Server, or do both. An installer can create a profile and assign ownership of the profile directory to a non-root user so that the non-root user can start the product for a specific profile.
On modern distros, ping uses an extended file attribute to grant CAP_NET_RAW to unprivileged users.
Example here on my Debian testing:
jbm@sumo:~$ ls -l /bin/ping
-rwxr-xr-x 1 root root 57048 Mar 1 15:49 /bin/ping
jbm@sumo:~$ filecap /bin/ping
file capabilities
/bin/ping net_raw
...which is better than SUID, security wise: only one capability here, instead of the full root set (37 capabilities as of my 4.5 kernel).
EDIT: a couple of things.
First: instead of filecap
, you might want to use getcap
.
The latter comes with the "regular" lipcap
and its CLI tools, that you are pretty sure to have on your system whatever the distro. As opposed to the former, which comes with libcap-ng
.
Second: regarding Ubuntu.
Indeed, now that I'm at the office, with a couple of Ubuntu LTS VM (14.04 and 16.04) guests on my Debian testing host, I can see that Canonical does uses the SUID bit rather than an extended file attribute. They appear to rely on AppArmor MAC, and I'd say we have a good example here of why this might not be the best idea as a first measure: the administrative paperwork load to get it right is high.
As a result, though Canonical do have some AppArmor setup for say tcpdump
, they do not for ping
(which is instead SUID = full root power for free), nor for example for dumpcap
(the process running the packets capture for wireshark
), which will imply sudo
, which again is full root power (yet at least with a password). Hopefully upstream developers do things right: capability dropping is available at the source code level both for the iputils like ping
or for dumpcap
, so it's up to the integrator (distro package maintainers).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With