iputils 3:20240905-1 doesn't work for unprivileged users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iputils (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
iputils-ping 3:20240905-1 removed the setcap from the binary, under the assumption that you don't need special privileges to open ICMP sockets (as introduced in 2011 in the kernel). However, that only is true if you have "net.ipv4.
So far, we didn't configure this variable in Ubuntu, resulting in the default value of "0 1", which only allows root to open those sockets.
However, that could/should change with the latest merge of linux-base, which brought in linux-sysctl-
```
# System Request functionality of the kernel (SYNC)
#
# Use kernel.sysrq = 1 to allow all keys.
# See https:/
# of values and keys.
kernel.sysrq = 0x01b6
# Append the PID to the core filename
kernel.
# Source route verification
net.ipv4.
net.ipv4.
-net.ipv4.
# Do not accept source routing
net.ipv4.
net.ipv4.
-net.ipv4.
# Promote secondary addresses when the primary address is removed
net.ipv4.
net.ipv4.
-net.ipv4.
# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
# The upper limit is set to 2^31-1. Values greater than that get rejected by
# the kernel because of this definition in linux/include/
# #define GID_T_MAX (((gid_t)~0U) >> 1)
# That's not so bad because values between 2^31 and 2^32-1 are reserved on
# systemd-based systems anyway: https:/
-net.ipv4.
# Fair Queue CoDel packet scheduler to fight bufferbloat
-net.core.
# Enable hard and soft link protection
fs.protected_
fs.protected_
# Enable regular file and FIFO protection
fs.protected_
fs.protected_fifos = 1
```
That new package is already in systemd's Recommends (has been there since Oracular, see bug 2089759).
In parallel, procps in Debian has removed /etc/sysctl.conf entirely, and now also Recommends linux-sysctl-
To add to the fun, despite the systemd Recommends, linux-sysctl-