usr@host:~$ ping google.comIt turns out that while ping used to be suid root to be able to do its raw socket magic, this has not been the case for quite some time. File capabilities are what is used nowadays. This allows for more fine-grained control over what the binary is allowed to do. And most likely you have this set up on your desktop:
ping: icmp open socket: Operation not permitted
user@host:~$ sudo getcap /bin/ping
[sudo] password for user:
/bin/ping = cap_net_raw+ep
This is cool. But if you compile the kernel yourself there are some options that you need to enable for file system capabilities to work. These turn out to be:
- extended attributes (e.g. CONFIG_EXT2_FS_XATTR, CONFIG_EXT3_FS_XATTR; ext4 as of 4.1.0-rc5 probably has extended attributes always enabled as there's no such option)
- security labels (e.g. CONFIG_EXT2_FS_SECURITY, CONFIG_EXT3_FS_SECURITY, CONFIG_EXT4_FS_SECURITY)
The "extended attributes" was the easy part. But it was not obvious to me that I need to enable "Ext4 Security Labels".
In case you were running a system w/o support for filesystem capabilities and want to fix ping after you rebuilt the kernel with capabilities, this is what you want:
P.S. The debian package that contains the setcap and getcap binaries is libcap2-bin.
In case you were running a system w/o support for filesystem capabilities and want to fix ping after you rebuilt the kernel with capabilities, this is what you want:
sudo setcap cap_net_raw+ep /bin/pingMost likely obvious, but figuring out what I need to enable in the kernel took me some time. Maybe it helps someone.
P.S. The debian package that contains the setcap and getcap binaries is libcap2-bin.
No comments:
Post a Comment