iB::Topic::Why does ping need root?

	Damn Small Linux :: Damn Small Linux Board The DSL Forums

» Welcome Guest
[ Log In :: Register ]

Damn Small Linux Board » Damn Small Linux » Apps » Why does ping need root?

		Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
		Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic

[ Track this topic :: Email this topic :: Print this topic ]

Topic: Why does ping need root?, How do I change that?

< Next Oldest | Next Newest >

zaphod_es

Group: Members
Posts: 2
Joined: Nov. 2006

Posted: Nov. 26 2006,17:52

Every time I need to run ping I forget to put sudo in front of the command and am given the usual "Permission denied. Are you root?" message. It seems to be an irritating and illogical setting and I know of no reason to restrict the use of ping and am trying to allow any user to access it.

I checked the permissions of /bin/ping (777) and noticed that it is a link to /bin/busybox. That is a new program to me and its permissions are 775 It is not clear what I should do next as I cannot find a config file for busybox.

ZB

^thehatsrule^ Offline

Group: Members
Posts: 3275
Joined: July 2006

Posted: Nov. 26 2006,19:33

Busybox handles many of DSL's common tools.

Taken from config.in from source... (note that the default is set to 'no'). This should give you some options to consider - hope this helps.

Quote

config FEATURE_SUID
bool "Support for SUID/SGID handling"
default n
help
With this option you can install the busybox binary belonging
to root with the suid bit set, and it'll and it'll automatically drop
priviledges for applets that don't need root access.

If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it. The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock.
...
config FEATURE_SUID_CONFIG
bool "Runtime SUID/SGID configuration via /etc/busybox.conf"
default n if FEATURE_SUID
depends on FEATURE_SUID
help
Allow the SUID / SGID state of an applet to be determined at runtime
by checking /etc/busybox.conf. (This is sort of a poor man's sudo.)
The format of this file is as follows:

<applet> = [Ssx-][Ssx-][x-] (<username>|<uid>).(<groupname>|<gid>)

An example might help:

[SUID]
su = ssx root.0 # applet su can be run by anyone and runs with euid=0/egid=0
su = ssx # exactly the same

mount = sx- root.disk # applet mount can be run by root and members of group disk
# and runs with euid=0

cp = --- # disable applet cp for everyone

The file has to be owned by user root, group root and has to be
writeable only by root:
(chown 0.0 /etc/busybox.conf; chmod 600 /etc/busybox.conf)
The busybox executable has to be owned by user root, group
root and has to be setuid root for this to work:
(chown 0.0 /bin/busybox; chmod 4755 /bin/busybox)

Robert 'sandman' Griebl has more information here:
<url: http://www.softforge.de/bb/suid.html >.

An alternative to the busybox toolset would be to load gnu-utils.dsl - but that will take much more space/memory in comparison.

If it's only the sudo thing that's bothering you, you could use an alias, like alias ping="sudo ping" I suppose.

zaphod_es

Group: Members
Posts: 2
Joined: Nov. 2006

Posted: Nov. 28 2006,19:40

Thanks, that was very informative.

I am not sure that I am ready to compile my own Busybox. I have changed the sudo settings to ask for a password. A link would save entering sudo but would still require the password. The computer is old and slow and gnu-utils would be too demanding.

It is a bit of a paradox: a paranoid setting requiring root to run ping combined with allowing sudo without a password.

I will learn to live with it.

ZB

^thehatsrule^ Offline

Group: Members
Posts: 3275
Joined: July 2006

Posted: Nov. 28 2006,19:53

Well, I don't think you'd need to recompile it.

Quote

If you're really paranoid and don't want to do this, build two
busybox binaries with different applets in them (and the appropriate
symlinks pointing to each binary), and only set the suid bit on the
one that needs it. The applets currently marked to need the suid bit
are login, passwd, su, ping, traceroute, crontab, dnsd, ipcrm, ipcs,
and vlock.

You could setuid on one of them, just for ping.

I think it's the same for gnu-utils, it probably has it setuid for ping. (thought you don't need to load the whole package)