[TriLUG] icmp as non-root (on Mandrake)
jonc at nc.rr.com
Tue Sep 28 09:20:22 EDT 2004
On Tue, 2004-09-28 at 08:53, Tanner Lovelace wrote:
> > If you want ping to work as a user then:
> > chmod u+s /bin/ping
> > Of course I'm betting that MSEC will change it back unless you edit the
> > file: /usr/share/msec/perm.<msec level>
> Please don't edit these files. Besides changing msecs idea of defaults,
> you run the risk of having your modifications undone if you upgrade msec.
> Instead, you can add it to your local perm.local file in
> If you do the command "grep ping /usr/share/msec/perm.?" you get this:
> perm.0:/bin/ping root.root
> perm.1:/bin/ping root.root
> perm.2:/bin/ping root.root
> perm.3:/bin/ping root.root
> perm.4:/bin/ping root.ntools
> perm.5:/bin/ping root.ntools
Oops! My bad. You are definitely right. Folks should NOT edit the
default MSEC files.
Thanks for catching that Tanner.
As it turns out though, MSEC only issues a warning about it and doesn't
change ping back. So if you can live with a one-time warning from MSEC
then don't worry about this part at all.
> So, take the line from perm. and add that to /etc/security/msec/perm.local
> if you really want to change it back.
> Alternatively, and a more secure option, would be to add the users you want
> to be able to use ping, and other network tools, to the ntools group. At higher
> msec levels you can separate out privileges like that with groups. There are
> groups for network tools which include the use of programs like ping, finger,
> ssh, telnet, w, who, and traceroute.
I'm running MSEC level 4 on my servers so I did need to add my username
to the ntool group before I could ping. So that restriction of MSEC
continues to work even once ping is set-uid root. Indeed, ping will not
work *period* for a user unless it is set-uid root.
Note: if you are running MSEC at lower levels you don't need to add the
user to the ntool group, but you still need to set-uid root on /bin/ping
> I would suggest
> looking into this option before trying to modify file permissions.
> The permissions
> were set that way for a good reason and you should think about the ramifications
> of those reasons before just changing them back.
I thought a lot about this and the only explanation I can gedanken is
that they don't want (non-root) trojans to have access to icmp via ping.
Still Mandrake has fping which comes set-uid root and works fine for
users - so maybe the thought is that you simply need to obscure an
application that has set-uid root and can use icmp freely?
Anyway... Thank God it's open source and we can easily change it to
match our needs!
More information about the TriLUG