Hi, file based capabilities can be considered a small security improvement over full root access through suid. Upstream[1] supports this aswell, other distributions like archlinux[2] use it, too. [1] https://github.com/schweikert/fping/blob/develop/README.md#installation [2] https://git.archlinux.org/svntogit/packages.git/tree/trunk/fping.install?h=packages/fping#n2 I’ll file a "pull request" on github.com in a few seconds. Kind regards, Nils
Created attachment 611166 [details, diff] modify ebuild for fping-4.2 to unconditionally use cap_net_raw instead of conditionally s-uid root Since ping from iputils unconditionally installs as cap_net_raw+ep, I don't see why fping doesn't also (i.e., without any special USE flag). With this change, the value of USE=suid becomes questionable (I think honoring fping's restrictions on -i, -p, -f for non-root users is fine).
Comment on attachment 611166 [details, diff] modify ebuild for fping-4.2 to unconditionally use cap_net_raw instead of conditionally s-uid root >--- fping-4.2.ebuild 2020-01-27 11:31:59.227220744 -0800 >+++ fping-4.2-r1.ebuild 2020-02-02 21:43:48.018154149 -0800 >@@ -10,7 +11,8 @@ > LICENSE="fping" > SLOT="0" > KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos" >-IUSE="ipv6 suid" >+IUSE="ipv6" >+FILECAPS=( cap_net_raw+ep sbin/fping ) usr/sbin/fping I think? >@@ -22,8 +24,4 @@ > > src_install() { > default >- >- if use suid ; then >- fperms u+s /usr/sbin/fping >- fi > } What if fcaps fails?
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=623d1e0b9b697f886abfd52e0a48796107198c96 commit 623d1e0b9b697f886abfd52e0a48796107198c96 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-02-03 18:10:53 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-02-03 18:15:34 +0000 net-analyzer/fping: Add USE=filecaps, fping6 > fping symlink Bug #698662: - Use filecaps.eclass to set cap_net_raw Bug #708020: - Create a symlink from /usr/sbin/fping6 -> fping - Add upstream patch to fix `fping6 -6 ...` Package-Manager: Portage-2.3.87, Repoman-2.3.20 Closes: https://bugs.gentoo.org/698662 Closes: https://bugs.gentoo.org/708020 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/fping/files/fping-4.2-fping6-6.patch | 21 +++++++++++++ net-analyzer/fping/fping-4.2-r1.ebuild | 36 +++++++++++++++++++++++ 2 files changed, 57 insertions(+)