Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/22/2016 09:22 PM, Noah Meyerhans wrote: > On Mon, Feb 22, 2016 at 09:15:37PM +0100, John Paul Adrian Glaubitz > wrote: >> I didn't say you should remove setuid altogether. I just said you >> should use capabilties on Linux by default by setting: >> >> Depends: libcap2-bin [linux-any] > > Recommends are installed by default, so the default on Linux is to > use capabilities. Especially with systemd pulling it in as a hard > requirement. As I mentioned before, the problem occurs in setups like FAI where Recommends are not enabled by default. I'm aware it works on standard, stand-alone systems. I haven't had the time to re-test this today at work, but I will be following up on this! > iputils-ping only builds for linux kernels. Well, then this part isn't an issue anyway :). > I already explained that it would be a policy violation for > iputils-ping to have a Depends: libcap2-bin. This will change when > libcap2-bin is Priority: important, at which point I'll add the > dependency. Just because systemd is willing to violate policy > doesn't mean I am! ;) Alright, then let's just wait until this has happened! Again, thanks for filing the bug report! Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWy286AAoJEHQmOzf1tfkTe+MQAIcf5aaQwxtREO4elmSWUxX8 gfbs0KNCDGCde4imv8zxBcjJBhWvheG0aM65WM/RMj7zBazx5ubUcRXPUR1xjVvu mb7fSr/68P9MbQKAYDn6FUszfycPb47U6PPZmLC9tVp71kbpGe5IQ+cCrtBgG0dx yu5ydzpDq/Y8DK8qkfDpuIrepF3uWdnlKJ5SkWBffBZOJYahes9/kh0sByxaz4Di z3cZ2rXAyexb5FcDGcNl1C9HGkS6vUFDD6a3KpARExl0T9Ve6MuvYM1yTQTWG379 F+eANowp6y5Tfi2rqTfR/K+z2x9aKfnJlkB7XEiRSxwssc989ZXK3ZjPq09wWdGk UdpHZ6OIZi0eZyMV4xkK+3Mv9hfXLkYAUL7zboPIY15NDZWmegNIXAe7CCCn88Ay J4HZiOZYIRsW16pXVF/F8081/2g+Ru2Od1+G7Rp4jE+Zt8+/qmZPpGys3kqbZdYE lnw/ulfaxYnMMIgXdCkjc51ShBCGfm0XGI1etMd7j0Ii4FtMoeNSdAReikqn1UJr OA75zioM2OHyQEYaR83I8TbngVgcwWYMyuzj+qS+yG3o7QLAqmQAnZBaBJbC8uHS qxo6jZFvBJuzNYKFGNwnVPMXXVZwsfVB65ASH2HHIyoA09hARGz6HSgbtME/3o4Q JrXaircc4YHctOzaksgT =B6Ga -END PGP SIGNATURE-
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
On Mon, Feb 22, 2016 at 09:15:37PM +0100, John Paul Adrian Glaubitz wrote: > I didn't say you should remove setuid altogether. I just said you should > use capabilties on Linux by default by setting: > > Depends: libcap2-bin [linux-any] Recommends are installed by default, so the default on Linux is to use capabilities. Especially with systemd pulling it in as a hard requirement. > I'm aware we can't use capabilities on the non-Linux kernels yet, but > since dpkg allows us to set dependencies per arch or per kernel, I don't > see any particular problem adding libcap2-bin as to Depends for Linux > kernels. iputils-ping only builds for linux kernels. I already explained that it would be a policy violation for iputils-ping to have a Depends: libcap2-bin. This will change when libcap2-bin is Priority: important, at which point I'll add the dependency. Just because systemd is willing to violate policy doesn't mean I am! ;) noah signature.asc Description: Digital signature
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/22/2016 04:59 PM, Noah Meyerhans wrote: > Thanks. In the meantime, I've submitted 815566 against libcap2-bin > requesting that it be raised to Priority: important to match > iputils and systemd, which is the right solution hered. Probably a good idea to do that, thanks! >> I would still highly discourage from using setuid anymore anyway >> for the well-known security issues it has [1]. I mean, setuid is >> one of the main reason capabilities were introduced to the Linux >> kernel in the first place. > > As long as it's possible for Debian systems to work on kernels that > don't support capabilities, I want to keep the suid fallback in > place, especially if it's only actually used under custom > configurations. I didn't say you should remove setuid altogether. I just said you should use capabilties on Linux by default by setting: Depends: libcap2-bin [linux-any] I'm aware we can't use capabilities on the non-Linux kernels yet, but since dpkg allows us to set dependencies per arch or per kernel, I don't see any particular problem adding libcap2-bin as to Depends for Linux kernels. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWy2xlAAoJEHQmOzf1tfkT3R4P/isqmu1APaSecpJqH7uTW7X+ fCEmSd4FBglVJy+jYQ2vJinkR04ZYlvUELOkmqUIQk/juPbLBZN695LHhjuWFTCX LL8NraJguvFqzPfx0OkESLe14sAf5CXcg++LLzOQnJ/SpScRbaEa/62ZRdufonj9 17+OlsMAvrSEQtoj6Al3hQEQiH6aseHgD8tyCpq79xIpAgC8UUeA6ETOYMZLFu/b YyuQ9w9YvupeUv1vI8ic4b4UgCCAq+oW7gpF8XyHMnJGMM/dIWtPYa75jNHn9JcE 2QKzQ7TEllrLSmMW8I7dk0VCAiq2fl0B8sPt05IUk2TOzowJk7Cd/UljYmPG4Xx0 NlonR7qP3lzAIsMxDuxSxpRZk4SUC1q1UHDLcRLHkDj4iXoYcsF3F0Ud200b6SsF VNQVftjgMJESoEDklYtIPn7zgdkSjp5rGDFnLxzyc8Ya/qX6EBEBh7pvyP5qMjir W/EaGvPfg8qYqbNxV0f8YhRZkGg+jpL8onfMNwXEsn2LJkFmFpoztKVpHKMpcw6K UNte8uxQpp4HS9qu95/qSbK2u3ZstT7YNEjSr3EOigrJpWsMakm45KwjczzTYYjR 4L7A9G8qdtdHztgXgJ9+NLSPUHS94SUqgxkA/1mKaCL4uqt7wUUztUK2fNHcsjoX Y/IQRIF0ePiN8lSSLmZj =+YrK -END PGP SIGNATURE-
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
On Mon, Feb 22, 2016 at 04:01:24PM +0100, John Paul Adrian Glaubitz wrote: > I'll have to re-test that. Again, this occurred during a FAI > installation, that is an automated installation. Thanks. In the meantime, I've submitted 815566 against libcap2-bin requesting that it be raised to Priority: important to match iputils and systemd, which is the right solution hered. > I would still highly discourage from using setuid anymore anyway > for the well-known security issues it has [1]. I mean, setuid is > one of the main reason capabilities were introduced to the Linux > kernel in the first place. As long as it's possible for Debian systems to work on kernels that don't support capabilities, I want to keep the suid fallback in place, especially if it's only actually used under custom configurations. noah signature.asc Description: Digital signature
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/22/2016 03:53 PM, Noah Meyerhans wrote: > On Mon, Feb 22, 2016 at 08:22:50AM +0100, John Paul Adrian Glaubitz > wrote: >> Can we just fix this bug first so that people don't install >> iputils in setups like FAI or debootstrap and keep wondering why >> iputils-ping doesn't work for non-root users? > > Please explain how ping is not usable by non-root users? If > libcap2-bin isn't installed, then ping is installed setuid root as > it always has been. I'll have to re-test that. Again, this occurred during a FAI installation, that is an automated installation. We had to add libcap2-bin manually in FAI PACKAGES install JESSIE STRETCH BUSTER libcap2-bin iputils-arping iputils-ping as otherwise users would get an error message when trying to run the ping command on Jessie or newer. I will re-test this, maybe this was a previous bug in iputils-ping. I would still highly discourage from using setuid anymore anyway for the well-known security issues it has [1]. I mean, setuid is one of the main reason capabilities were introduced to the Linux kernel in the first place. Cheers, Adrian > [1] https://en.wikipedia.org/wiki/Setuid#Security - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyyLAAAoJEHQmOzf1tfkTaekQAJ+uNfZWrJlkgnnNZ+NH74OY V3jwEAWglPorNEFPaezw0ASlTqYB3p5ibx6OkUKszXI6COeCwpSL/fpgAw7n2zTx nJsHkVf+bCdbKa5hl975xTwctfC86pfF+EL1/tXrBFxtXx5PrfBK3B/CtzCZ1u6E cujAu2rC6g2fNrbjCwZFMJvc+3IbxVptMINd1w9humq6FmUu/nXyUUpHtMly73j3 zVcxnl7C1vW9lSTsdLXfPd+3wFrQwobWeDJeTn3z9OC7ljrDRE2y/2/L1f5OBrr7 rJuDpA47Lgv6gD5wXOKwAzQgoAFz0Cs11P9NsdGa82yiYmiOIZvpeOTt1AZSnBmm Ulmnx9ABlEOS4sLjJ74pulpT8HqAaAKwUnz3CNnfy8/qIKgbVvHT1Xr1XydKz+Fs TrK+qhsLX536nSzyO8X3NC/+Fzlnu4u+QI36TlAoqbfikXjAj1dUoemAg1c9tCMM sJH55A6Odlv61XzJQHlNPPBBnkU17B+3rq/sIJkSpYetV5JJwO84+f7VqkOIMMlG d8I5HGp3q00F7x386ceS7dcGGC1NzKsMEhhD3DbBBbx5pO5R05gwqrQiqfHPlCS2 XYEGVafgOs9mA0EyxtFFTNRVEaY+yH/bE92c1hHxkqpFFviU3WWe0/AeowTA3iN+ jc5OOa3NbyXqFZkYtwR7 =s3Ni -END PGP SIGNATURE-
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
On Mon, Feb 22, 2016 at 08:22:50AM +0100, John Paul Adrian Glaubitz wrote: > Can we just fix this bug first so that people don't install iputils > in setups like FAI or debootstrap and keep wondering why iputils-ping > doesn't work for non-root users? Please explain how ping is not usable by non-root users? If libcap2-bin isn't installed, then ping is installed setuid root as it always has been. The relevant code from postinst: if command -v setcap > /dev/null; then if setcap cap_net_raw+ep /bin/ping; then chmod u-s /bin/ping else echo "Setcap failed on /bin/ping, falling back to setuid" >&2 chmod u+s /bin/ping fi else echo "Setcap is not installed, falling back to setuid" >&2 chmod u+s /bin/ping fi signature.asc Description: Digital signature
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
On 02/22/2016 03:49 AM, Noah Meyerhans wrote: > I don't see a bug against systemd for this, but there probably should be > one. Either that or we should amend policy to remove this requirement, > but I suspect that the ramifications of that would far-reaching. Can we just fix this bug first so that people don't install iputils in setups like FAI or debootstrap and keep wondering why iputils-ping doesn't work for non-root users? This bug causes actual problems with the command, so I think we should really address this issue. I don't see any negative ramifications from adding libcap2-bin to Depends, are there any? Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
(Apologies for the 11 month turn-around!) On Thu, Mar 19, 2015 at 09:59:39AM +0100, John Paul Adrian Glaubitz wrote: > > iputils-ping, as priority "important", cannot declare a dependency > > on libcap2-bin, which is priority "optional". Thus, the Recommends > > relationship. It is perfectly valid to run system with > > iputils-ping installed and setcap2-bin not installed, with no loss > > of functionality. > > Are you sure? systemd in Debian has actually has the priority important > and has libcap2-bin as a dependency: Yes. According to policy (https://www.debian.org/doc/debian-policy/ch-archive.html#s-priorities), "Packages must not depend on packages with lower priority values (excluding build-time dependencies). In order to ensure this, the priorities of one or more packages may need to be adjusted." I don't see a bug against systemd for this, but there probably should be one. Either that or we should amend policy to remove this requirement, but I suspect that the ramifications of that would far-reaching. noah signature.asc Description: Digital signature
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/19/2015 04:24 AM, Noah Meyerhans wrote: iputils-ping, as priority important, cannot declare a dependency on libcap2-bin, which is priority optional. Thus, the Recommends relationship. It is perfectly valid to run system with iputils-ping installed and setcap2-bin not installed, with no loss of functionality. Are you sure? systemd in Debian has actually has the priority important and has libcap2-bin as a dependency: root@z6:~# apt-cache depends systemd |grep libcap2-bin Depends: libcap2-bin root@z6:~# apt-cache show systemd |grep Priority Priority: important root@z6:~# apt-cache show libcap2-bin |grep Priority Priority: optional root@z6:~# This also seems to be the reason why it doesn't affect the default installation which pulls in systemd and therefore libcap2-bin. However, in my use case, I am creating a PXE installation environment for use with FAI which is booted with sysvinit and systemd is available on the installed system only. The iputils-ping postinst script takes care to handle the case where setcap is either not available or not functional (due e.g. to running on a filesystem that doesn't support capabilities. In such a case, it falls back to setting the setuid bit on the binary, which allows non-root users to run the program. The code in question: if command -v setcap /dev/null; then if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then echo Setcap worked! Ping(6) is not suid! else echo Setcap failed on /bin/ping, falling back to setuid 2 If this isn't working for you, you'll need to send some more details about your system. The output from the postinst script may be helpful (even though it shouldn't actually be there; see Bug #757433) I'm debugging this right now trying to create a minimal example which triggers the problem. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVCo/7AAoJEHQmOzf1tfkT5RkQAMl5GL2idCThoNb1kpSDq8Ly 1U/uPYmz39lE9XiuL3thKPxm5jjg9TUZtpcplMDkLWUzZOow1FutSHXPYq7PK147 /tvSG+qYw9fyT+qMCM9eyiHPFMm9xgyfCIlVZHW6npsxWzJdRx8w24Vk0yqk1AJM 8+ks7SH2P7JFlGVnj3+SrZ/yANamAZEiQPDFwJPjom8y3k351iuiw4yGpv1eQCc2 Tgp+p1zTPuAe+I6j2zzn8FxU91L+ylfsg/1iJOu/OZ9WYnoIf4oUPjvd7QEJ28Uh +saJAUE+b+Fsx8bd434JFlDJCiTciZPbAng9bSSXCypOY35oXlCPR9ZeMMUtpl6N JzOQrK9a351HrJhROqcNFQs9U7eMN3Mqwea/X2FdeMfPt2GVPCVQVnFUndeL1Sun zHANMnK7iykCXL0nBuvjYVc5+zYkbdfl42GjTHXvzOEl6vLr2zrRzMnEScoKB6cp neKIBYEU1gQkWqLniaAOjYU8ybjks7E+6yDLqrMP6Oszmev1UgxDWR0ihpKvyMhK Nffj9Nvz//+beRpkWSvi0dQEje6aTW78bVxw+7vgP34cfvxwhL2ZT3O2ZoSa/ELA ufQsS/behIl8swB3T71t/M9qSRFUyKuFYECuO5pfJLgxVXt7UiZTd/+cV3eNSnnq GBN7aC2on6J/drJzDQl6 =TO86 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
Source: iputils Version: 3:20121221-5 Severity: normal Hello! The new version of iputils in Jessie uses capabilities instead of set-uid to gain the necessary priviliges to send ICMP requests. While this is a great improvement with regards to security, it currently may lead to rendering the ping and arping commands unusable for non-root users. This happens because the necessary package, libcap2-bin, which is required to properly configure the iputils package to use capabilities is currently set as Recommends in debian/control rather than a Depends. However, in many cases such as when using debootstrap (which is also used by FAI, for example), 'apt-get install' is run using the --no-install-recommends option which means the 'ping' command is installed such that it can be used by root only. In order to fix this, one has to manually install the libcap2-bin package and re-run 'dpkg-reconfigure iputils-ping' command, for example. Just adding the libcap2-bin package to the list of packages for debootstrap does not fix the problem. Thus, in order to avoid problems in environments where 'apt-get install' is run with the '--no-install-recommends' option, I would like you to ask to add libcap2-bin to Depends rather than Recommends in debian/control. Thanks, Adrian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#780721: iputils: Please raise libcap2-bin from Recommends to Depends
On Wed, Mar 18, 2015 at 12:12:48PM +0100, John Paul Adrian Glaubitz wrote: The new version of iputils in Jessie uses capabilities instead of set-uid to gain the necessary priviliges to send ICMP requests. While this is a great improvement with regards to security, it currently may lead to rendering the ping and arping commands unusable for non-root users. iputils-ping, as priority important, cannot declare a dependency on libcap2-bin, which is priority optional. Thus, the Recommends relationship. It is perfectly valid to run system with iputils-ping installed and setcap2-bin not installed, with no loss of functionality. The iputils-ping postinst script takes care to handle the case where setcap is either not available or not functional (due e.g. to running on a filesystem that doesn't support capabilities. In such a case, it falls back to setting the setuid bit on the binary, which allows non-root users to run the program. The code in question: if command -v setcap /dev/null; then if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then echo Setcap worked! Ping(6) is not suid! else echo Setcap failed on /bin/ping, falling back to setuid 2 If this isn't working for you, you'll need to send some more details about your system. The output from the postinst script may be helpful (even though it shouldn't actually be there; see Bug #757433) noah signature.asc Description: Digital signature