New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ping as non-root fails due to missing capabilities #143
Comments
I quickly tried to figure out what the problem is. On my Debian/bookworm system, ❯ sudo getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep ping on Grml has no capabilities set, but according root@grml ~ # getcap /usr/bin/ping
root@grml ~ #
root@grml ~ # cat /var/lib/dpkg/info/iputils-ping.postinst
#!/bin/sh
set -e
PROGRAM=$(dpkg-divert --truename /bin/ping)
if [ "$1" = configure ]; then
# If we have setcap installed, try setting cap_net_raw+ep,
# which allows us to install our binaries without the setuid
# bit.
if command -v setcap > /dev/null; then
if setcap cap_net_raw+ep $PROGRAM; then
chmod u-s $PROGRAM
else
echo "Setcap failed on $PROGRAM, falling back to setuid" >&2
chmod u+s $PROGRAM
fi
else
echo "Setcap is not installed, falling back to setuid" >&2
chmod u+s $PROGRAM
fi
fi
[...] FTR, setting the capabilities manually fixes the problem (obviously): root@grml ~ # setcap cap_net_raw+ep /usr/bin/ping
root@grml ~ # su - grml
grml@grml ~ % ping grml.org
PING grml.org (202.61.209.101) 56(84) bytes of data.
64 bytes from web.grml.org (202.61.209.101): icmp_seq=1 ttl=63 time=16.5 ms
^C
--- grml.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 16.537/16.537/16.537/0.000 ms |
I didn't try it yesterday, but FTR: root@grml ~ # apt update
[...]
root@grml ~ # apt reinstall iputils-ping
[...]
root@grml ~ # su - grml
grml@grml ~ % ping grml.org
PING grml.org (202.61.209.101) 56(84) bytes of data.
64 bytes from web.grml.org (202.61.209.101): icmp_seq=1 ttl=63 time=17.3 ms
^C
--- grml.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.252/17.252/17.252/0.000 ms
grml@grml ~ % sudo getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep
So, it seems ping and the package itself is fine, but the |
Thanks for looking into this. I tried to reproduce it, though it works fine and as expected both in my local builds as well in our daily ISOs. Feels to me like it's failing somewhere in our actual release builds where we use |
I tracked down the underlying issue, interesting one! 🤓 Good news: it's unrelated to the involved software versions (grml-live, squashfs-tools, fai-client, xorriso,…). STR:
To make it more obvious, it's failing due to the way our basefile gets generated:
So the problem is that in the created basefile the capabilities aren't stored. Why wasn't this reproducible for us?
Solutions:
To speed up the builds, I'll go for option and re-build our basefiles, and also update our documentation accordingly. |
Current daily ISO of grml:
Might be worth fixing this for new stable release?
The text was updated successfully, but these errors were encountered: