The file in cloud image doesn't has the correct capability

Bug #1931550 reported by ethan.hsieh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Undecided
ethan.hsieh
cloud-images
Undecided
Unassigned

Bug Description

The file (/bin/ping) in cloud image doesn't has correct capability (cap_net_raw+ep).

Reproduction steps:

$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-arm64-root.tar.xz .
$ sudo tar --xattrs -Jxf focal-server-cloudimg-arm64-root.tar.xz
$ cd -
$ sudo chroot root
root@ubuntu-focal:/# getcap /bin/ping
# Get nothing.

ping is supposed to has cap_net_raw+ep
root@ubuntu-focal:/# getcap /bin/ping
/bin/ping = cap_net_raw+ep

The postinst script in iputils-ping should set the capability to /bin/ping

Changed in oem-priority:
assignee: nobody → ethan.hsieh (ethan.hsieh)
tags: added: oem-priority originate-from-1924744
Revision history for this message
Joshua Powers (powersj) wrote :

Was this ever working and what is this breaking?

Are you only seeing this on arm64?

Changed in cloud-images:
status: New → Incomplete
Revision history for this message
Joshua Powers (powersj) wrote :

I see the same issue on amd64 tarball, but if I launch an actual cloud image I see the correct capabilities.

Revision history for this message
ethan.hsieh (ethan.hsieh) wrote :

@Joshua

The issue is reported by QA.
They ran tests with sudo, so they didn't aware of this issue.
My projects are arm-based system. I'm not sure if the issue only happens to arm64.

Is there any difference between amd64 tarball and actual cloud image?

Normal user will get the permission issue when executing ping with "-I" parameter

$ getcap ./ping

$ ./ping 8.8.8.8 -c 2 -w 3 -Iwlp1s0
./ping: SO_BINDTODEVICE wlp1s0: Operation not permitted

$ ./ping 8.8.8.8 -c 2 -w 3
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=14.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=10.00 ms

$ sudo ./ping 8.8.8.8 -c 2 -w 3 -Iwlp1s0
PING 8.8.8.8 (8.8.8.8) from 192.168.1.106 wlp1s0: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=9.51 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=9.37 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 9.365/9.436/9.507/0.071 ms

Revision history for this message
Joshua Powers (powersj) wrote :

Thanks

1. When did this last work?

2. your command above shows `./ping` is that `/bin/ping` or are you executing something else?

Revision history for this message
ethan.hsieh (ethan.hsieh) wrote :

@Joshua

1. Sorry. I have no idea. Need to check old images in https://cloud-images.ubuntu.com/.
2. /bin/ping in my laptop has correct capability.
./ping without cap_net_raw+ep is for showing you the symptom.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers