On Tue, Jun 07, 2016 at 02:56:11PM -0800, Britton Kerin wrote: > On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila <sanv...@unex.es> wrote: > > On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote: > >> On my old debian system I could ping as a normal user. The ping > >> binary had the suid bit set. Now I get: > >> > >> $ ping www.google.com > >> ping: icmp open socket: Operation not permitted > >> 2 $ > >> > >> presumably because the bit isn't set. > > > > Yes, it uses capabilities. The simple fix is to do this: > > > > dpkg-reconfigure iputils-ping > > Well, that works, thanks. But I really don't get the overall behavior. > It says this: > > root@debian:/home/bkerin# dpkg-reconfigure iputils-ping > Setcap worked! Ping(6) is not suid! > root@debian:/home/bkerin# > > And then ping works for non-root users. > > How, just by executing dpkg-reconfigure, did I tell it this is what > I wanted? If that's the default, why wasn't it that way to begin with?
It is supposed to work on initial installation as well -- the decision whether to setcap or setuid is made anew whenever iputils-ping is configured. Did you do something out of ordinary, like tarring and restoring or otherwise moving your system around? If so, that's unfortunately an expected thing -- if not, it'd be nice to know what else could have failed. > More generally, is it somehow possible to still run debian without > capabilities? I hate them. Yes, apt-get purge libcap2-bin. This won't undo existing capabilities in the filesystem, you can search for them with getcap -r, then dpkg --reconfigure them to use setuid instead. > The simple root-or-not security model is much simpler and doesn't promise > more than it can really deliver. Giving only limited capabilities greatly reduces possible attacks. If someone manages to subvert ping, in the setuid model he gains full root. In the capability model, all he gets is cap_net_raw. The damage from being able to create raw sockets is rather limited. Another such capability is for example cap_net_bind_service which lets your http/whatever server to listen on port 80 without being root. And so on... On the other hand, setcap does have its downsides, like surprising some sysadmins or tools. > I'm sad to see capabilities now as the default. I'd say the upside outweights the downsides. But, you do get to choose. Meow! -- An imaginary friend squared is a real enemy.
