Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
 

[ Track this topic :: Email this topic :: Print this topic ]

reply to topic new topic new poll
Topic: Why does ping need root?, How do I change that?< Next Oldest | Next Newest >
zaphod_es Offline





Group: Members
Posts: 2
Joined: Nov. 2006
Posted: Nov. 26 2006,17:52 QUOTE

Every time I need to run ping I forget to put sudo in front of the command and am given the usual "Permission denied. Are you root?" message. It seems to be an irritating and illogical setting and I know of no reason to restrict the use of ping and am trying to allow any user to access it.

I checked the permissions of /bin/ping  (777) and noticed that it is a link to /bin/busybox. That is a new program to me and its permissions are 775  It is not clear what I should do next as I cannot find a config file for busybox.

ZB
Back to top
Profile PM 
^thehatsrule^ Offline





Group: Members
Posts: 3275
Joined: July 2006
Posted: Nov. 26 2006,19:33 QUOTE

Busybox handles many of DSL's common tools.

Taken from config.in from source... (note that the default is set to 'no').  This should give you some options to consider - hope this helps.
Quote
config FEATURE_SUID
bool "Support for SUID/SGID handling"
default n
help
 With this option you can install the busybox binary belonging
 to root with the suid bit set, and it'll and it'll automatically drop
 priviledges for applets that don't need root access.

 If you're really paranoid and don't want to do this, build two
 busybox binaries with different applets in them (and the appropriate
 symlinks pointing to each binary), and only set the suid bit on the
 one that needs it.  The applets currently marked to need the suid bit
 are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
 and vlock.
...
config FEATURE_SUID_CONFIG
bool "Runtime SUID/SGID configuration via /etc/busybox.conf"
default n if FEATURE_SUID
depends on FEATURE_SUID
help
 Allow the SUID / SGID state of an applet to be determined at runtime
 by checking /etc/busybox.conf.  (This is sort of a poor man's sudo.)
 The format of this file is as follows:

 <applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)

 An example might help:

 [SUID]
 su = ssx root.0 # applet su can be run by anyone and runs with euid=0/egid=0
 su = ssx        # exactly the same

 mount = sx- root.disk # applet mount can be run by root and members of group disk
                       # and runs with euid=0

 cp = --- # disable applet cp for everyone

 The file has to be owned by user root, group root and has to be
 writeable only by root:
  (chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
 The busybox executable has to be owned by user root, group
 root and has to be setuid root for this to work:
  (chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)

 Robert 'sandman' Griebl has more information here:
 <url: http://www.softforge.de/bb/suid.html >.


An alternative to the busybox toolset would be to load gnu-utils.dsl - but that will take much more space/memory in comparison.

If it's only the sudo thing that's bothering you, you could use an alias, like alias ping="sudo ping" I suppose.
Back to top
Profile PM 
zaphod_es Offline





Group: Members
Posts: 2
Joined: Nov. 2006
Posted: Nov. 28 2006,19:40 QUOTE

Thanks, that was very informative.

I am not sure that I am ready to compile my own  Busybox. I have changed the sudo settings to ask for a password. A link would save entering sudo but would still require the password. The computer is old and slow and gnu-utils would be too demanding.

It is a bit of a paradox: a paranoid setting requiring root to run ping combined with allowing sudo without a password.


I will learn to live with it.

ZB
Back to top
Profile PM 
^thehatsrule^ Offline





Group: Members
Posts: 3275
Joined: July 2006
Posted: Nov. 28 2006,19:53 QUOTE

Well, I don't think you'd need to recompile it.
Quote
If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it.  The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock.
You could setuid on one of them, just for ping.

I think it's the same for gnu-utils, it probably has it setuid for ping.  (thought you don't need to load the whole package)
Back to top
Profile PM 
roberts Offline





Group: Members
Posts: 4983
Joined: Oct. 2003
Posted: Nov. 28 2006,20:39 QUOTE

gnu-utils.unc doesn't have the high overhead of gnu-utils.dsl
Back to top
Profile PM WEB 
4 replies since Nov. 26 2006,17:52 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

 
reply to topic new topic new poll
Quick Reply: Why does ping need root?

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code