Ubuntu
iputils package

Upgrade ping to latest version that doesn't require SUID or NET_RAW capability

Bug #1588917 reported by Ricardo on 2016-06-03

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	iputils (Ubuntu)	Triaged	Wishlist	Unassigned

Bug Description

The latest version of iputils have the option of using SOCK_DGRAM packets instead of SOCK_RAW, provided that the net.ipv4.ping_group_range sysctl is set to a different value. This helps a lot with security in -not just- Linux containers by dropping support for the NET_RAW capability.

Also, the ubuntu-minimal packages should not include this package as a hard dependency in case I want to uninstall iputils-ping to substitute it for another package like oping which just works if I turn off the setuid bit.

This would help a lot with secure Linux containers with no NET_RAW capabilities.

See original description

Ricardo (ricardo-smartmatic) on 2016-08-31

description:

updated

Jamie Strandboge (jdstrand) on 2017-08-04

Changed in iputils (Ubuntu):
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-08-04:

I believe that section of the kernel code has had three user->ring0 vulnerabilities so far. It might be worth waiting a bit longer before enabling its use by default.

Thanks

Revision history for this message

Ricardo (ricardo-smartmatic) wrote on 2017-08-09:

I think it should be up to the user to decide whether to enable this by setting the net.ipv4.ping_group_range sysctl.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuiputils package

Upgrade ping to latest version that doesn't require SUID or NET_RAW capability

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
iputils package