On Jan 02, Noah Meyerhans <no...@debian.org> wrote: > With that in place, unprivileged users are able to excute ping for both > IPv4 and IPv6 targets without cap_net_raw (currently set as either a > file-based attribute on the ping binary or acquired via setuid). But > since that applies system-wide, not just to the ping binary, there may > be objections. I do not think that the submitter made clear why this would be preferable, so I had to research it myself. See:
https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange https://github.com/systemd/systemd/pull/13141 Since this is one of the systemd sysctl defaults (of which I think that we should adopt more, especially the network-related ones!) I agree with changing this. I would just do it in the systemd package package to allow all packages to benefit from it without having to care if ping is installed. -- ciao, Marco
signature.asc
Description: PGP signature
