Apps :: Why does ping need root?



Every time I need to run ping I forget to put sudo in front of the command and am given the usual "Permission denied. Are you root?" message. It seems to be an irritating and illogical setting and I know of no reason to restrict the use of ping and am trying to allow any user to access it.

I checked the permissions of /bin/ping  (777) and noticed that it is a link to /bin/busybox. That is a new program to me and its permissions are 775  It is not clear what I should do next as I cannot find a config file for busybox.

ZB
Busybox handles many of DSL's common tools.

Taken from config.in from source... (note that the default is set to 'no').  This should give you some options to consider - hope this helps.
Quote
config FEATURE_SUID
bool "Support for SUID/SGID handling"
default n
help
 With this option you can install the busybox binary belonging
 to root with the suid bit set, and it'll and it'll automatically drop
 priviledges for applets that don't need root access.

 If you're really paranoid and don't want to do this, build two
 busybox binaries with different applets in them (and the appropriate
 symlinks pointing to each binary), and only set the suid bit on the
 one that needs it.  The applets currently marked to need the suid bit
 are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
 and vlock.
...
config FEATURE_SUID_CONFIG
bool "Runtime SUID/SGID configuration via /etc/busybox.conf"
default n if FEATURE_SUID
depends on FEATURE_SUID
help
 Allow the SUID / SGID state of an applet to be determined at runtime
 by checking /etc/busybox.conf.  (This is sort of a poor man's sudo.)
 The format of this file is as follows:

 <applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)

 An example might help:

 [SUID]
 su = ssx root.0 # applet su can be run by anyone and runs with euid=0/egid=0
 su = ssx        # exactly the same

 mount = sx- root.disk # applet mount can be run by root and members of group disk
                       # and runs with euid=0

 cp = --- # disable applet cp for everyone

 The file has to be owned by user root, group root and has to be
 writeable only by root:
  (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
 The busybox executable has to be owned by user root, group
 root and has to be setuid root for this to work:
  (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)

 Robert 'sandman' Griebl has more information here:
 <url: http://www.softforge.de/bb/suid.html >.


An alternative to the busybox toolset would be to load gnu-utils.dsl - but that will take much more space/memory in comparison.

If it's only the sudo thing that's bothering you, you could use an alias, like alias ping="sudo ping" I suppose.
Thanks, that was very informative.

I am not sure that I am ready to compile my own  Busybox. I have changed the sudo settings to ask for a password. A link would save entering sudo but would still require the password. The computer is old and slow and gnu-utils would be too demanding.

It is a bit of a paradox: a paranoid setting requiring root to run ping combined with allowing sudo without a password.


I will learn to live with it.

ZB
Well, I don't think you'd need to recompile it.
Quote
If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it.  The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock.
You could setuid on one of them, just for ping.

I think it's the same for gnu-utils, it probably has it setuid for ping.  (thought you don't need to load the whole package)
gnu-utils.unc doesn't have the high overhead of gnu-utils.dsl
Next Page...
original here.