Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698662 - net-analyzer/fping : Add filecaps support
Summary: net-analyzer/fping : Add filecaps support
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Netmon project
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2019-10-27 15:55 UTC by Nils Freydank
Modified: 2020-02-03 18:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
modify ebuild for fping-4.2 to unconditionally use cap_net_raw instead of conditionally s-uid root (fping-4.2.diff,704 bytes, patch)
2020-02-03 05:50 UTC, Ken Pizzini 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nils Freydank 2019-10-27 15:55:30 UTC 
Hi,

file based capabilities can be considered a small security improvement over full root access through suid.

Upstream[1] supports this aswell, other distributions like archlinux[2]
use it, too.

[1] https://github.com/schweikert/fping/blob/develop/README.md#installation
[2] https://git.archlinux.org/svntogit/packages.git/tree/trunk/fping.install?h=packages/fping#n2


I’ll file a "pull request" on github.com in a few seconds.

Kind regards,
Nils
Comment 1 Ken Pizzini 2020-02-03 05:50:48 UTC 
Created attachment 611166 [details, diff]
modify ebuild for fping-4.2 to unconditionally use cap_net_raw instead of conditionally s-uid root

Since ping from iputils unconditionally installs as cap_net_raw+ep, I don't see why fping doesn't also (i.e., without any special USE flag).  With this change, the value of USE=suid becomes questionable (I think honoring fping's restrictions on -i, -p, -f for non-root users is fine).
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-02-03 18:04:32 UTC 
Comment on attachment 611166 [details, diff]
modify ebuild for fping-4.2 to unconditionally use cap_net_raw instead of conditionally s-uid root

>--- fping-4.2.ebuild	2020-01-27 11:31:59.227220744 -0800
>+++ fping-4.2-r1.ebuild	2020-02-02 21:43:48.018154149 -0800
>@@ -10,7 +11,8 @@
> LICENSE="fping"
> SLOT="0"
> KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos"
>-IUSE="ipv6 suid"
>+IUSE="ipv6"
>+FILECAPS=( cap_net_raw+ep sbin/fping )

usr/sbin/fping I think?

>@@ -22,8 +24,4 @@
> 
> src_install() {
> 	default
>-
>-	if use suid ; then
>-		fperms u+s /usr/sbin/fping
>-	fi
> }

What if fcaps fails?
Comment 3 Larry the Git Cow gentoo-dev 2020-02-03 18:15:38 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=623d1e0b9b697f886abfd52e0a48796107198c96

commit 623d1e0b9b697f886abfd52e0a48796107198c96
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-02-03 18:10:53 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-02-03 18:15:34 +0000

    net-analyzer/fping: Add USE=filecaps, fping6 > fping symlink
    
    Bug #698662:
    - Use filecaps.eclass to set cap_net_raw
    
    Bug #708020:
    - Create a symlink from /usr/sbin/fping6 -> fping
    - Add upstream patch to fix `fping6 -6 ...`
    
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Closes: https://bugs.gentoo.org/698662
    Closes: https://bugs.gentoo.org/708020
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/fping/files/fping-4.2-fping6-6.patch | 21 +++++++++++++
 net-analyzer/fping/fping-4.2-r1.ebuild            | 36 +++++++++++++++++++++++
 2 files changed, 57 insertions(+)