Why does ping need root?
Forum: Apps
Topic: Why does ping need root?
started by: zaphod_es
Posted by zaphod_es on Nov. 26 2006,17:52
Every time I need to run ping I forget to put sudo in front of the command and am given the usual "Permission denied. Are you root?" message. It seems to be an irritating and illogical setting and I know of no reason to restrict the use of ping and am trying to allow any user to access it.
I checked the permissions of /bin/ping (777) and noticed that it is a link to /bin/busybox. That is a new program to me and its permissions are 775 It is not clear what I should do next as I cannot find a config file for busybox.
ZB
Posted by ^thehatsrule^ on Nov. 26 2006,19:33
Busybox handles many of DSL's common tools.
Taken from config.in from source... (note that the default is set to 'no'). This should give you some options to consider - hope this helps.
| Quote | config FEATURE_SUID
bool "Support for SUID/SGID handling"
default n
help
With this option you can install the busybox binary belonging
to root with the suid bit set, and it'll and it'll automatically drop
priviledges for applets that don't need root access.
If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it. The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock.
...
config FEATURE_SUID_CONFIG
bool "Runtime SUID/SGID configuration via /etc/busybox.conf"
default n if FEATURE_SUID
depends on FEATURE_SUID
help
Allow the SUID / SGID state of an applet to be determined at runtime
by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
The format of this file is as follows:
<applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)
An example might help:
[SUID]
su = ssx root.0 # applet su can be run by anyone and runs with euid=0/egid=0
su = ssx # exactly the same
mount = sx- root.disk # applet mount can be run by root and members of group disk
# and runs with euid=0
cp = --- # disable applet cp for everyone
The file has to be owned by user root, group root and has to be
writeable only by root:
(chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
The busybox executable has to be owned by user root, group
root and has to be setuid root for this to work:
(chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)
Robert 'sandman' Griebl has more information here:
<url: < http://www.softforge.de/bb/suid.html > >. |
An alternative to the busybox toolset would be to load gnu-utils.dsl - but that will take much more space/memory in comparison.
If it's only the sudo thing that's bothering you, you could use an alias, like alias ping="sudo ping" I suppose.
Posted by zaphod_es on Nov. 28 2006,19:40
Thanks, that was very informative.
I am not sure that I am ready to compile my own Busybox. I have changed the sudo settings to ask for a password. A link would save entering sudo but would still require the password. The computer is old and slow and gnu-utils would be too demanding.
It is a bit of a paradox: a paranoid setting requiring root to run ping combined with allowing sudo without a password.
I will learn to live with it.
ZB
Posted by ^thehatsrule^ on Nov. 28 2006,19:53
Well, I don't think you'd need to recompile it.
| Quote | If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it. The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock. |
You could setuid on one of them, just for ping.
I think it's the same for gnu-utils, it probably has it setuid for ping. (thought you don't need to load the whole package)
Posted by roberts on Nov. 28 2006,20:39
gnu-utils.unc doesn't have the high overhead of gnu-utils.dsl
|