security – How Does Ping Work on Fedora Without setuid and Capabilities

capabilitiesSecuritysetuid

As far as I know, ping needs to create a raw socket (which needs either root access or cap_net_raw capabilities).

From my understanding the trend these last years has been to remove setuid binaries and replaced them with capabilities.

However when I look at the ping binary on my Fedora 32, it doesn't look to have any:

$ ls -la $(which ping)
-rwxr-xr-x. 1 root root 82960 May 18 10:26 /usr/bin/ping
$ sudo getcap -v $(which ping)
/usr/bin/ping
$

Does ping need to open raw socket on fedora? Or is there another way to give it the permission to open a raw socket?

Best Answer

I think https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange answers your question:

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

Cross-reference detail

Targeted release: Fedora 31
Last updated: 2019-08-13
Tracker bug: #1740809
Release notes tracker: #376

The sysctl documentation writes,

ping_group_range - 2 INTEGERS

Restrict ICMP_PROTO datagram sockets to users in the group range. The default is "1 0", meaning, that nobody (not even root) may create ping sockets. Setting it to "100 100" would grant permissions to the single group. "0 4294967295" would enable it for the world, "100 4294967295" would enable it for the users, but not daemons.

An older code example demonstrates the use of this feature, and in particular shows that a socket is created with the IPPROTO_ICMP flag to identify that it will be used for raw ICMP

int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)

Related Solutions

Running setuid binary temporarily without setuid

If X is dynamically linked, you could call the dynamic linker like:

/lib/ld.so /path/to/X

(adapt ld.so to your system (like /lib/ld-linux.so.2).

Example:

$ /lib64/ld-linux-x86-64.so.2 /bin/ping localhost
ping: icmp open socket: Operation not permitted

Linux – How to replace setuid with file-system capabilities

File system capabilities in Linux were added to allow more fine-grained control than setuid alone will allow. With setuid it's a full escalation of effective privileges to the user (typically root). The capabilities(7) manpage provides the following description:

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of pro‐ cesses: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged pro‐ cesses (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivi‐ leged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

If an application needs the ability to call chroot(), which is typically only allowed for root, CAP_SYS_CHROOT can be set on the binary rather than setuid. This can be done using the setcap command:

setcap CAP_SYS_CHROOT /bin/mybin

As of RPM version 4.7.0, capabilities can be set on packaged files using %caps.

Fedora 15 had a release goal of removing all setuid binaries tracked in this bug report. According to the bug report, this goal was accomplished.

The wikipedia article on Capability-based security is good read for anyone interested.

Best Answer

Related Solutions

Running setuid binary temporarily without setuid

Linux – How to replace setuid with file-system capabilities

Related Question