[TriLUG] icmp as non-root (on Mandrake)

Jon Carnes jonc at nc.rr.com
Tue Sep 28 09:20:22 EDT 2004


On Tue, 2004-09-28 at 08:53, Tanner Lovelace wrote:
> > 
> > If you want ping to work as a user then:
> > chmod u+s /bin/ping
> > 
> > Of course I'm betting that MSEC will change it back unless you edit the
> > file: /usr/share/msec/perm.<msec level>
> 
> Please don't edit these files.  Besides changing msecs idea of defaults,
> you run the risk of having your modifications undone if you upgrade msec.
> Instead, you can add it to your local perm.local file in
> /etc/security/msec/perm.local.
> 
> If you do the command "grep ping /usr/share/msec/perm.?" you get this:
> 
> perm.0:/bin/ping                                        root.root     
>          4755
> perm.1:/bin/ping                                        root.root     
>          4755
> perm.2:/bin/ping                                        root.root     
>          4755
> perm.3:/bin/ping                                        root.root     
>          4755
> perm.4:/bin/ping                                        root.ntools   
>          4750
> perm.5:/bin/ping                                        root.ntools   
>          4750
> 

Oops!  My bad. You are definitely right. Folks should NOT edit the
default MSEC files.

Thanks for catching that Tanner.

As it turns out though, MSEC only issues a warning about it and doesn't
change ping back. So if you can live with a one-time warning from MSEC
then don't worry about this part at all.

> So, take the line from perm.[0123] and add that to /etc/security/msec/perm.local
> if you really want to change it back.  
> 
> Alternatively, and a more secure option, would be to add the users you want
> to be able to use ping, and other network tools, to the ntools group.  At higher
> msec levels you can separate out privileges like that with groups.  There are
> groups for network tools which include the use of programs like ping, finger,
> ssh, telnet, w, who, and traceroute.

I'm running MSEC level 4 on my servers so I did need to add my username
to the ntool group before I could ping.  So that restriction of MSEC
continues to work even once ping is set-uid root. Indeed, ping will not
work *period* for a user unless it is set-uid root.

Note: if you are running MSEC at lower levels you don't need to add the
user to the ntool group, but you still need to set-uid root on /bin/ping

>  I would suggest
> looking into this option before trying to modify file permissions. 
> The permissions
> were set that way for a good reason and you should think about the ramifications
> of those reasons before just changing them back.
> 

I thought a lot about this and the only explanation I can gedanken is
that they don't want (non-root) trojans to have access to icmp via ping.
Still Mandrake has fping which comes set-uid root and works fine for
users - so maybe the thought is that you simply need to obscure an
application that has set-uid root and can use icmp freely?

Anyway... Thank God it's open source and we can easily change it to
match our needs!

Jon Carnes





More information about the TriLUG mailing list