Re: make ping executable by normal users?

2016-06-08 Thread Santiago Vila 
On Wed, Jun 08, 2016 at 02:44:52PM +0100, Ben Hutchings wrote:
> [...] see bug #770492.

Truly amazing! For "ping", it would be like this:

$ /sbin/getcap /bin/ping
/bin/ping = cap_net_raw+ep
$ chown root:root /bin/ping
chown: changing ownership of '/bin/ping': Operation not permitted
$ /sbin/getcap /bin/ping
[ empty output ]

And you don't even have to be root, so this is a lot easier method to
lose the capability than doing tar + untar or using rsync without -X.

Thanks.

Re: make ping executable by normal users?

2016-06-08 Thread Ben Hutchings 
On Tue, 2016-06-07 at 14:56 -0800, Britton Kerin wrote:
> On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila  wrote:
> > On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
> > > On my old debian system I could ping as a normal user.  The ping
> > > binary had the suid bit set.  Now I get:
> > > 
> > > $ ping www.google.com
> > > ping: icmp open socket: Operation not permitted
> > > 2 $
> > > 
> > > presumably because the bit isn't set.
> > > 
> > > What's the right fix?  I could setuid it but then if I understand
> > > correctly it might get changed back by an upgrade.  Does it use
> > > capabilites or something?
> > 
> > Yes, it uses capabilities. The simple fix is to do this:
> > 
> > dpkg-reconfigure iputils-ping
> 
> Well, that works, thanks.  But I really don't get the overall behavior.
> It says this:
> 
>  root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
>  Setcap worked! Ping(6) is not suid!
>  root@debian:/home/bkerin#
> 
> And then ping works for non-root users.
> 
> How, just by executing dpkg-reconfigure, did I tell it this is what
> I wanted?  If that's the default, why wasn't it that way to begin with?

It probably was, but see bug #770492.

> More generally, is it somehow possible to still run debian without
> capabilities?
[...]

Capabilities are a non-optional feature of Linux.  There are Debian
ports to other kernels where this may not be the case.

Ben.

-- 
Ben Hutchings
Any smoothly functioning technology is indistinguishable from a rigged
demo.



signature.asc
Description: This is a digitally signed message part

Re: make ping executable by normal users?

2016-06-08 Thread Adam Borowski 
On Tue, Jun 07, 2016 at 02:56:11PM -0800, Britton Kerin wrote:
> On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila  wrote:
> > On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
> >> On my old debian system I could ping as a normal user.  The ping
> >> binary had the suid bit set.  Now I get:
> >>
> >> $ ping www.google.com
> >> ping: icmp open socket: Operation not permitted
> >> 2 $
> >>
> >> presumably because the bit isn't set.
> >
> > Yes, it uses capabilities. The simple fix is to do this:
> >
> > dpkg-reconfigure iputils-ping
> 
> Well, that works, thanks.  But I really don't get the overall behavior.
> It says this:
> 
>  root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
>  Setcap worked! Ping(6) is not suid!
>  root@debian:/home/bkerin#
> 
> And then ping works for non-root users.
> 
> How, just by executing dpkg-reconfigure, did I tell it this is what
> I wanted?  If that's the default, why wasn't it that way to begin with?

It is supposed to work on initial installation as well -- the decision
whether to setcap or setuid is made anew whenever iputils-ping is
configured.  Did you do something out of ordinary, like tarring and
restoring or otherwise moving your system around?  If so, that's
unfortunately an expected thing -- if not, it'd be nice to know what
else could have failed.

> More generally, is it somehow possible to still run debian without
> capabilities?  I hate them.

Yes, apt-get purge libcap2-bin.

This won't undo existing capabilities in the filesystem, you can search for
them with getcap -r, then dpkg --reconfigure them to use setuid instead.

> The simple root-or-not security model is much simpler and doesn't promise
> more than it can really deliver.

Giving only limited capabilities greatly reduces possible attacks.  If
someone manages to subvert ping, in the setuid model he gains full root.  In
the capability model, all he gets is cap_net_raw.  The damage from being
able to create raw sockets is rather limited.  Another such capability is
for example cap_net_bind_service which lets your http/whatever server to
listen on port 80 without being root.  And so on...

On the other hand, setcap does have its downsides, like surprising some
sysadmins or tools.

> I'm sad to see capabilities now as the default.

I'd say the upside outweights the downsides.  But, you do get to choose.


Meow!
-- 
An imaginary friend squared is a real enemy.

Re: make ping executable by normal users?

2016-06-07 Thread Santiago Vila 
On Tue, Jun 07, 2016 at 02:56:11PM -0800, Britton Kerin wrote:

> How, just by executing dpkg-reconfigure, did I tell it this is what
> I wanted?  If that's the default, why wasn't it that way to begin with?

AFAIK, the tar file format, on which the .deb package format is based,
does not allow for capabilities to be stored inside a tar file, so the
capability has to be set in the postinst and may not be "just there"
after unpacking the package.

Of course, this does not explain why you lost the capability, it would
only explain why the postinst fixes it.

Re: make ping executable by normal users?

2016-06-07 Thread David Wright 
On Tue 07 Jun 2016 at 14:56:11 (-0800), Britton Kerin wrote:
> On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila  wrote:
> > On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
> >> On my old debian system I could ping as a normal user.  The ping
> >> binary had the suid bit set.  Now I get:
> >>
> >> $ ping www.google.com
> >> ping: icmp open socket: Operation not permitted
> >> 2 $
> >>
> >> presumably because the bit isn't set.
> >>
> >> What's the right fix?  I could setuid it but then if I understand
> >> correctly it might get changed back by an upgrade.  Does it use
> >> capabilites or something?
> >
> > Yes, it uses capabilities. The simple fix is to do this:
> >
> > dpkg-reconfigure iputils-ping
> 
> Well, that works, thanks.  But I really don't get the overall behavior.
> It says this:
> 
>  root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
>  Setcap worked! Ping(6) is not suid!
>  root@debian:/home/bkerin#
> 
> And then ping works for non-root users.
> 
> How, just by executing dpkg-reconfigure, did I tell it this is what
> I wanted?  If that's the default, why wasn't it that way to begin with?

dpkg-reconfigure runs /var/lib/dpkg/info/foo.postinst for package foo,
so take a look and you'll see the possibilities.

I've no idea how your ping missed the process, unless it's been copied
incorrectly at some point (though one might expect more problems than
just ping in that case).

> More generally, is it somehow possible to still run debian without
> capabilities?  I hate them.  The simple root-or-not security model
> is much simpler and doesn't promise more than it can really
> deliver.  I'm sad to see capabilities now as the default.

No idea. I'm convinced, rightly or wrongly, by the added fine-grain
security provided by capabilities.

Cheers,
David.

Re: make ping executable by normal users?

2016-06-07 Thread Britton Kerin 
On Thu, Jun 2, 2016 at 2:33 PM, Santiago Vila  wrote:
> On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
>> On my old debian system I could ping as a normal user.  The ping
>> binary had the suid bit set.  Now I get:
>>
>> $ ping www.google.com
>> ping: icmp open socket: Operation not permitted
>> 2 $
>>
>> presumably because the bit isn't set.
>>
>> What's the right fix?  I could setuid it but then if I understand
>> correctly it might get changed back by an upgrade.  Does it use
>> capabilites or something?
>
> Yes, it uses capabilities. The simple fix is to do this:
>
> dpkg-reconfigure iputils-ping

Well, that works, thanks.  But I really don't get the overall behavior.
It says this:

 root@debian:/home/bkerin# dpkg-reconfigure iputils-ping
 Setcap worked! Ping(6) is not suid!
 root@debian:/home/bkerin#

And then ping works for non-root users.

How, just by executing dpkg-reconfigure, did I tell it this is what
I wanted?  If that's the default, why wasn't it that way to begin with?

More generally, is it somehow possible to still run debian without
capabilities?  I hate them.  The simple root-or-not security model
is much simpler and doesn't promise more than it can really
deliver.  I'm sad to see capabilities now as the default.

Britton

Re: make ping executable by normal users?

2016-06-07 Thread Nicolas George 
Le decadi 20 prairial, an CCXXIV, Reco a écrit :
> Yes, and "aptitude search '~nping'" shows 41 result for me (42 actually
> if you count busybox).
> I'm somewhat lazy to test each and every implementation of ping to check
> which one fails in 'icmp open socket' instead of 'sendmsg'.
> 
> So, my point is - it's entirely possible to get EPERM in ping by
> misconfiguring iptables.

No, it is not. There is no need to painstakingly try every single
implementation of ping: some people here know how to actually implement
ping, they know what the various system calls do and how they interact with
firewall rules and network error feedback. And based on that knowledge, they
can tell you: EPERM can be caused by firewall rules on the sendmsg() system
call, but not on the socket() system call, and the original error message
states it happens on the socket() system call.

Note that nobody blames you for not knowing that, it is not a mandatory
knowledge for using Debian, and I am sure there are other things you know
about Debian that few other people know. But try to get the feel of the wind
and understand that, lacking the corresponding knowledge, you should take
their word for it.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: make ping executable by normal users?

2016-06-07 Thread Reco 
On Mon, Jun 06, 2016 at 11:29:52AM -0500, David Wright wrote:
> On Mon 06 Jun 2016 at 19:26:04 (+0300), Reco wrote:
> > On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> > > On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > > > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > Check your firewall rules.
> > > > > 
> > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > > 
> > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > > 
> > > > > then try to ping anywhere. You will get a different error message,
> > > > > namely "Destination Port Unreachable".
> > > > 
> > > > But if you transform the rule in question a little, like this:
> > > > 
> > > > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > > > -j REJECT --reject-with icmp-admin-prohibited
> > > > 
> > > > ping will respond with 'Operation not permitted'. An exact wording of 
> > > > the
> > > > message seems to depend on actual ping implementation.
> > > > 
> > > > So, checking firewall rules is a valid advice. It's just this particular
> > > > problem happens due to lack of file capabilities.
> > > 
> > > # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT 
> > > --reject-with icmp-admin-prohibited
> > > 
> > > $ ping alum.local
> > > PING alum.local (192.168.1.19) 56(84) bytes of data.
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > ping: sendmsg: Operation not permitted
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > [ad infinitum]
> > 
> > As I wrote earlier - it depends on the implementation of a ping. For me
> > it looks like this:
> > 
> > $ dpkg -S $(which ping)
> > iputils-ping: /bin/ping
> > $ ping -c2 localhost
> > PING localhost (127.0.0.1) 56(84) bytes of data.
> > ping: sendmsg: Operation not permitted
> > ping: sendmsg: Operation not permitted
> > 
> > ^C
> > --- localhost ping statistics ---
> > 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
> 
> But the OP's error message was
> "ping: icmp open socket: Operation not permitted"
> and not
> "ping: sendmsg: Operation not permitted"

Yes, and "aptitude search '~nping'" shows 41 result for me (42 actually
if you count busybox).
I'm somewhat lazy to test each and every implementation of ping to check
which one fails in 'icmp open socket' instead of 'sendmsg'.

So, my point is - it's entirely possible to get EPERM in ping by
misconfiguring iptables. I agree that it's also possible to get EPERM in
ping by denying it CAP_NET_RAW capability.

Reco

Re: make ping executable by normal users?

2016-06-06 Thread Norbert Kiszka 
Dnia 2016-06-06, pon o godzinie 14:04 -0500, David Wright pisze:
> On Mon 06 Jun 2016 at 19:50:55 (+0200), Norbert Kiszka wrote:
> > 1. Did You tried another kernel? If not, maybe try from backports for first.
> > 
> > 2. iptable_filter 12488  0 
> > > ip_tables  16975  1 iptable_filter
> > 
> > Little suspicious for me. What needs this modules when you have default "no 
> > rules"?
> > 
> > BTW. You are using wifi currently? Ping to localhost doesnt works too?
> 
> I think you need to read back through the thread and see *who* has *what* 
> problem.
> I'm perfectly happy with the behaviour of ping on all my machines.
> Seem like Santiago Vila was correct in 
> https://lists.debian.org/debian-user/2016/06/msg00235.html!
> 
> Cheers,
> David.
> 

mea culpa [:cry:]

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 19:50:55 (+0200), Norbert Kiszka wrote:
> 1. Did You tried another kernel? If not, maybe try from backports for first.
> 
> 2. iptable_filter 12488  0 
> > ip_tables  16975  1 iptable_filter
> 
> Little suspicious for me. What needs this modules when you have default "no 
> rules"?
> 
> BTW. You are using wifi currently? Ping to localhost doesnt works too?

I think you need to read back through the thread and see *who* has *what* 
problem.
I'm perfectly happy with the behaviour of ping on all my machines.
Seem like Santiago Vila was correct in 
https://lists.debian.org/debian-user/2016/06/msg00235.html!

Cheers,
David.

Re: make ping executable by normal users?

2016-06-06 Thread Norbert Kiszka 
Dnia 2016-06-06, pon o godzinie 12:00 -0500, David Wright pisze:
> On Mon 06 Jun 2016 at 18:38:55 (+0200), Norbert Kiszka wrote:
> > Dnia 2016-06-06, pon o godzinie 11:26 -0500, David Wright pisze:
> > > On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> > > > Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > > > > On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> > > > > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> > > > > > 
> > > > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > > > Check your firewall rules.
> > > > > > >
> > > > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > > > >
> > > > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > > > >
> > > > > > > then try to ping anywhere. You will get a different error message,
> > > > > > > namely "Destination Port Unreachable".
> > > > > > >
> > > > > > > [ Why people do not read all messages in the thread before 
> > > > > > > answering
> > > > > > >   is a mystery to me ].
> > > > > 
> > > > > > No, that's not true, you definitely can get this very error due to
> > > > > > something to do with the firewall, maybe it's not able to resolve 
> > > > > > the ping
> > > > > > target rather than not able to reach the resulting host, I'm damned 
> > > > > > if I
> > > > > > can remember the specifics but I've definitely seen this happen on 
> > > > > > an lfs
> > > > > > box before and it was nothing to do with perms (as I said before, 
> > > > > > to your
> > > > > > point about people not reading the whole thread...)
> > > > > 
> > > > > I don't understand this argument.
> > > > > 
> > > > > Why would ping bother to open a socket to a host it couldn't resolve?
> > > > > 
> > > > > I know precious little about firewall rules, but AIUI the rules
> > > > > determine whether to respond with things like Drop, Reject, Deny.
> > > > > Now the OP didn't manage to open a socket; that's in the error 
> > > > > message:
> > > > > "ping: icmp open socket: Operation not permitted"
> > > > > So how would ping find out how the firewall was going to react to its
> > > > > ping message without opening a socket to send something?
> > > > 
> > > > Did You change linux kernel, kernel modules or something lastly?
> > > 
> > > I now know even less about what you're talking about. I don't have a
> > > problem. I have easily duplicated the OP's error message in the
> > > following way:
> > > 
> > > $ cp -ip /bin/ping /tmp
> > > $ /tmp/ping alum.local
> > > ping: icmp open socket: Operation not permitted
> > > $ /sbin/getcap /tmp/ping 
> > > $ /sbin/getcap /bin/ping 
> > > /bin/ping = cap_net_raw+ep
> > > $ 
> > > 
> > > That's jessie. On wheezy:
> > > 
> > > $ ls -l /bin/ping /tmp/ping
> > > -rwsr-xr-x 1 root  root  31104 Apr 12  2011 /bin/ping
> > > -rwxr-xr-x 1 david david 31104 Apr 12  2011 /tmp/ping
> > 
> > Show output of those commands:
> > 
> > # iptables -L
> > # lsmod
> > $ uname -a
> > $ cat /etc/issue
> 
> Gladly, though I think you're taking an unhealthy interest in *my* machine.
> 
> # /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination 
> 
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination 
> 
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination 
> # 
> 
> Bear in mind that I rebooted after making the change posted in this thread,
> so that change is lost.
> 
> $ lsmod
> Module  Size  Used by
> iptable_filter 12488  0 
> ip_tables  16975  1 iptable_filter
> x_tables   17978  2 ip_tables,iptable_filter
> ctr12807  2 
> ccm17361  2 
> snd_hrtimer12540  1 
> snd_seq_midi   12744  0 
> snd_seq_midi_event 13124  1 snd_seq_midi
> snd_rawmidi22372  1 snd_seq_midi
> snd_seq51562  3 snd_seq_midi_event,snd_seq_midi
> snd_seq_device 12980  3 snd_seq,snd_rawmidi,snd_seq_midi
> bnep   17184  2 
> cpufreq_powersave  12422  0 
> cpufreq_userspace  12477  0 
> cpufreq_conservative13872  0 
> cpufreq_stats  12694  0 
> nfsd  236959  2 
> auth_rpcgss45765  1 nfsd
> oid_registry   12387  1 auth_rpcgss
> nfs_acl12463  1 nfsd
> nfs   168022  0 
> lockd  73443  2 nfs,nfsd
> fscache44782  1 nfs
> sunrpc211341  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
> joydev 16847  0 
> ecb12649  1 
> btusb  25417  0 
> bluetooth 340064  21 bnep,btusb
> 6lowpan_iphc   16548  1 bluetooth
> iTCO_wdt   12727  0 
> iTCO_vendor_support12585  1 iTCO_wdt
> snd_hda_codec_idt  48266  1 
> snd_hda_codec_generic58021  2

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 18:38:55 (+0200), Norbert Kiszka wrote:
> Dnia 2016-06-06, pon o godzinie 11:26 -0500, David Wright pisze:
> > On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> > > Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > > > On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> > > > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> > > > > 
> > > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > > Check your firewall rules.
> > > > > >
> > > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > > >
> > > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > > >
> > > > > > then try to ping anywhere. You will get a different error message,
> > > > > > namely "Destination Port Unreachable".
> > > > > >
> > > > > > [ Why people do not read all messages in the thread before answering
> > > > > >   is a mystery to me ].
> > > > 
> > > > > No, that's not true, you definitely can get this very error due to
> > > > > something to do with the firewall, maybe it's not able to resolve the 
> > > > > ping
> > > > > target rather than not able to reach the resulting host, I'm damned 
> > > > > if I
> > > > > can remember the specifics but I've definitely seen this happen on an 
> > > > > lfs
> > > > > box before and it was nothing to do with perms (as I said before, to 
> > > > > your
> > > > > point about people not reading the whole thread...)
> > > > 
> > > > I don't understand this argument.
> > > > 
> > > > Why would ping bother to open a socket to a host it couldn't resolve?
> > > > 
> > > > I know precious little about firewall rules, but AIUI the rules
> > > > determine whether to respond with things like Drop, Reject, Deny.
> > > > Now the OP didn't manage to open a socket; that's in the error message:
> > > > "ping: icmp open socket: Operation not permitted"
> > > > So how would ping find out how the firewall was going to react to its
> > > > ping message without opening a socket to send something?
> > > 
> > > Did You change linux kernel, kernel modules or something lastly?
> > 
> > I now know even less about what you're talking about. I don't have a
> > problem. I have easily duplicated the OP's error message in the
> > following way:
> > 
> > $ cp -ip /bin/ping /tmp
> > $ /tmp/ping alum.local
> > ping: icmp open socket: Operation not permitted
> > $ /sbin/getcap /tmp/ping 
> > $ /sbin/getcap /bin/ping 
> > /bin/ping = cap_net_raw+ep
> > $ 
> > 
> > That's jessie. On wheezy:
> > 
> > $ ls -l /bin/ping /tmp/ping
> > -rwsr-xr-x 1 root  root  31104 Apr 12  2011 /bin/ping
> > -rwxr-xr-x 1 david david 31104 Apr 12  2011 /tmp/ping
> 
> Show output of those commands:
> 
> # iptables -L
> # lsmod
> $ uname -a
> $ cat /etc/issue

Gladly, though I think you're taking an unhealthy interest in *my* machine.

# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination 

Chain FORWARD (policy ACCEPT)
target prot opt source   destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination 
# 

Bear in mind that I rebooted after making the change posted in this thread,
so that change is lost.

$ lsmod
Module  Size  Used by
iptable_filter 12488  0 
ip_tables  16975  1 iptable_filter
x_tables   17978  2 ip_tables,iptable_filter
ctr12807  2 
ccm17361  2 
snd_hrtimer12540  1 
snd_seq_midi   12744  0 
snd_seq_midi_event 13124  1 snd_seq_midi
snd_rawmidi22372  1 snd_seq_midi
snd_seq51562  3 snd_seq_midi_event,snd_seq_midi
snd_seq_device 12980  3 snd_seq,snd_rawmidi,snd_seq_midi
bnep   17184  2 
cpufreq_powersave  12422  0 
cpufreq_userspace  12477  0 
cpufreq_conservative13872  0 
cpufreq_stats  12694  0 
nfsd  236959  2 
auth_rpcgss45765  1 nfsd
oid_registry   12387  1 auth_rpcgss
nfs_acl12463  1 nfsd
nfs   168022  0 
lockd  73443  2 nfs,nfsd
fscache44782  1 nfs
sunrpc211341  6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
joydev 16847  0 
ecb12649  1 
btusb  25417  0 
bluetooth 340064  21 bnep,btusb
6lowpan_iphc   16548  1 bluetooth
iTCO_wdt   12727  0 
iTCO_vendor_support12585  1 iTCO_wdt
snd_hda_codec_idt  48266  1 
snd_hda_codec_generic58021  2 snd_hda_codec_idt
arc4   12480  2 
dell_wmi   12437  0 
sparse_keymap  12730  1 dell_wmi
tg3   154678  0 
iwl394553405  0 
iwlegacy   53921  1 iwl3945
mac80211  425575  2 iwl3945,iwlegacy
snd_hda_intel  26023  0 
ptp17462  1

Re: make ping executable by normal users?

2016-06-06 Thread Norbert Kiszka 
Dnia 2016-06-06, pon o godzinie 11:26 -0500, David Wright pisze:
> On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> > Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > > On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> > > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> > > > 
> > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > Check your firewall rules.
> > > > >
> > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > >
> > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > >
> > > > > then try to ping anywhere. You will get a different error message,
> > > > > namely "Destination Port Unreachable".
> > > > >
> > > > > [ Why people do not read all messages in the thread before answering
> > > > >   is a mystery to me ].
> > > 
> > > > No, that's not true, you definitely can get this very error due to
> > > > something to do with the firewall, maybe it's not able to resolve the 
> > > > ping
> > > > target rather than not able to reach the resulting host, I'm damned if I
> > > > can remember the specifics but I've definitely seen this happen on an 
> > > > lfs
> > > > box before and it was nothing to do with perms (as I said before, to 
> > > > your
> > > > point about people not reading the whole thread...)
> > > 
> > > I don't understand this argument.
> > > 
> > > Why would ping bother to open a socket to a host it couldn't resolve?
> > > 
> > > I know precious little about firewall rules, but AIUI the rules
> > > determine whether to respond with things like Drop, Reject, Deny.
> > > Now the OP didn't manage to open a socket; that's in the error message:
> > > "ping: icmp open socket: Operation not permitted"
> > > So how would ping find out how the firewall was going to react to its
> > > ping message without opening a socket to send something?
> > 
> > Did You change linux kernel, kernel modules or something lastly?
> 
> I now know even less about what you're talking about. I don't have a
> problem. I have easily duplicated the OP's error message in the
> following way:
> 
> $ cp -ip /bin/ping /tmp
> $ /tmp/ping alum.local
> ping: icmp open socket: Operation not permitted
> $ /sbin/getcap /tmp/ping 
> $ /sbin/getcap /bin/ping 
> /bin/ping = cap_net_raw+ep
> $ 
> 
> That's jessie. On wheezy:
> 
> $ ls -l /bin/ping /tmp/ping
> -rwsr-xr-x 1 root  root  31104 Apr 12  2011 /bin/ping
> -rwxr-xr-x 1 david david 31104 Apr 12  2011 /tmp/ping
> 
> Cheers,
> David.
> 


Show output of those commands:

# iptables -L
# lsmod
$ uname -a
$ cat /etc/issue

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 19:26:04 (+0300), Reco wrote:
> On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> > On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > Check your firewall rules.
> > > > 
> > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > 
> > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > 
> > > > then try to ping anywhere. You will get a different error message,
> > > > namely "Destination Port Unreachable".
> > > 
> > > But if you transform the rule in question a little, like this:
> > > 
> > > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > >   -j REJECT --reject-with icmp-admin-prohibited
> > > 
> > > ping will respond with 'Operation not permitted'. An exact wording of the
> > > message seems to depend on actual ping implementation.
> > > 
> > > So, checking firewall rules is a valid advice. It's just this particular
> > > problem happens due to lack of file capabilities.
> > 
> > # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT 
> > --reject-with icmp-admin-prohibited
> > 
> > $ ping alum.local
> > PING alum.local (192.168.1.19) 56(84) bytes of data.
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > ping: sendmsg: Operation not permitted
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > [ad infinitum]
> 
> As I wrote earlier - it depends on the implementation of a ping. For me
> it looks like this:
> 
> $ dpkg -S $(which ping)
> iputils-ping: /bin/ping
> $ ping -c2 localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
> 
> ^C
> --- localhost ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms

But the OP's error message was
"ping: icmp open socket: Operation not permitted"
and not
"ping: sendmsg: Operation not permitted"

Cheers,
David.

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> > > 
> > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > Check your firewall rules.
> > > >
> > > > It can't be firewall rules. Try this to block outgoing ping:
> > > >
> > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > >
> > > > then try to ping anywhere. You will get a different error message,
> > > > namely "Destination Port Unreachable".
> > > >
> > > > [ Why people do not read all messages in the thread before answering
> > > >   is a mystery to me ].
> > 
> > > No, that's not true, you definitely can get this very error due to
> > > something to do with the firewall, maybe it's not able to resolve the ping
> > > target rather than not able to reach the resulting host, I'm damned if I
> > > can remember the specifics but I've definitely seen this happen on an lfs
> > > box before and it was nothing to do with perms (as I said before, to your
> > > point about people not reading the whole thread...)
> > 
> > I don't understand this argument.
> > 
> > Why would ping bother to open a socket to a host it couldn't resolve?
> > 
> > I know precious little about firewall rules, but AIUI the rules
> > determine whether to respond with things like Drop, Reject, Deny.
> > Now the OP didn't manage to open a socket; that's in the error message:
> > "ping: icmp open socket: Operation not permitted"
> > So how would ping find out how the firewall was going to react to its
> > ping message without opening a socket to send something?
> 
> Did You change linux kernel, kernel modules or something lastly?

I now know even less about what you're talking about. I don't have a
problem. I have easily duplicated the OP's error message in the
following way:

$ cp -ip /bin/ping /tmp
$ /tmp/ping alum.local
ping: icmp open socket: Operation not permitted
$ /sbin/getcap /tmp/ping 
$ /sbin/getcap /bin/ping 
/bin/ping = cap_net_raw+ep
$ 

That's jessie. On wheezy:

$ ls -l /bin/ping /tmp/ping
-rwsr-xr-x 1 root  root  31104 Apr 12  2011 /bin/ping
-rwxr-xr-x 1 david david 31104 Apr 12  2011 /tmp/ping

Cheers,
David.

Re: make ping executable by normal users?

2016-06-06 Thread Reco 
On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > Check your firewall rules.
> > > 
> > > It can't be firewall rules. Try this to block outgoing ping:
> > > 
> > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > 
> > > then try to ping anywhere. You will get a different error message,
> > > namely "Destination Port Unreachable".
> > 
> > But if you transform the rule in question a little, like this:
> > 
> > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > -j REJECT --reject-with icmp-admin-prohibited
> > 
> > ping will respond with 'Operation not permitted'. An exact wording of the
> > message seems to depend on actual ping implementation.
> > 
> > So, checking firewall rules is a valid advice. It's just this particular
> > problem happens due to lack of file capabilities.
> 
> # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT --reject-with 
> icmp-admin-prohibited
> 
> $ ping alum.local
> PING alum.local (192.168.1.19) 56(84) bytes of data.
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> ping: sendmsg: Operation not permitted
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> [ad infinitum]

As I wrote earlier - it depends on the implementation of a ping. For me
it looks like this:

$ dpkg -S $(which ping)
iputils-ping: /bin/ping
$ ping -c2 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

^C
--- localhost ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

Reco

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > Check your firewall rules.
> > 
> > It can't be firewall rules. Try this to block outgoing ping:
> > 
> > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > 
> > then try to ping anywhere. You will get a different error message,
> > namely "Destination Port Unreachable".
> 
> But if you transform the rule in question a little, like this:
> 
> iptables -I OUTPUT -p icmp --icmp-type echo-request \
>   -j REJECT --reject-with icmp-admin-prohibited
> 
> ping will respond with 'Operation not permitted'. An exact wording of the
> message seems to depend on actual ping implementation.
> 
> So, checking firewall rules is a valid advice. It's just this particular
> problem happens due to lack of file capabilities.

# iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT --reject-with 
icmp-admin-prohibited

$ ping alum.local
PING alum.local (192.168.1.19) 56(84) bytes of data.
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
>From 192.168.1.15 icmp_seq=1 Packet filtered
ping: sendmsg: Operation not permitted
ping: recvmsg: No route to host
ping: recvmsg: No route to host
ping: recvmsg: No route to host
ping: recvmsg: No route to host
ping: recvmsg: No route to host
[ad infinitum]

[reboot]

Cheers,
David.

Re: make ping executable by normal users?

2016-06-06 Thread Norbert Kiszka 
Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> > On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> > 
> > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > Check your firewall rules.
> > >
> > > It can't be firewall rules. Try this to block outgoing ping:
> > >
> > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > >
> > > then try to ping anywhere. You will get a different error message,
> > > namely "Destination Port Unreachable".
> > >
> > > [ Why people do not read all messages in the thread before answering
> > >   is a mystery to me ].
> 
> > No, that's not true, you definitely can get this very error due to
> > something to do with the firewall, maybe it's not able to resolve the ping
> > target rather than not able to reach the resulting host, I'm damned if I
> > can remember the specifics but I've definitely seen this happen on an lfs
> > box before and it was nothing to do with perms (as I said before, to your
> > point about people not reading the whole thread...)
> 
> I don't understand this argument.
> 
> Why would ping bother to open a socket to a host it couldn't resolve?
> 
> I know precious little about firewall rules, but AIUI the rules
> determine whether to respond with things like Drop, Reject, Deny.
> Now the OP didn't manage to open a socket; that's in the error message:
> "ping: icmp open socket: Operation not permitted"
> So how would ping find out how the firewall was going to react to its
> ping message without opening a socket to send something?
> 
> Cheers,
> David.
> 


Did You change linux kernel, kernel modules or something lastly?

Show output of lsmod.

Re: make ping executable by normal users?

2016-06-06 Thread David Wright 
On Mon 06 Jun 2016 at 15:27:16 (+), Mark Fletcher wrote:
> On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:
> 
> > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > Check your firewall rules.
> >
> > It can't be firewall rules. Try this to block outgoing ping:
> >
> > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> >
> > then try to ping anywhere. You will get a different error message,
> > namely "Destination Port Unreachable".
> >
> > [ Why people do not read all messages in the thread before answering
> >   is a mystery to me ].

> No, that's not true, you definitely can get this very error due to
> something to do with the firewall, maybe it's not able to resolve the ping
> target rather than not able to reach the resulting host, I'm damned if I
> can remember the specifics but I've definitely seen this happen on an lfs
> box before and it was nothing to do with perms (as I said before, to your
> point about people not reading the whole thread...)

I don't understand this argument.

Why would ping bother to open a socket to a host it couldn't resolve?

I know precious little about firewall rules, but AIUI the rules
determine whether to respond with things like Drop, Reject, Deny.
Now the OP didn't manage to open a socket; that's in the error message:
"ping: icmp open socket: Operation not permitted"
So how would ping find out how the firewall was going to react to its
ping message without opening a socket to send something?

Cheers,
David.

Re: make ping executable by normal users?

2016-06-06 Thread Santiago Vila 
On Mon, Jun 06, 2016 at 03:27:16PM +, Mark Fletcher wrote:

> you definitely can get this very error due to something to do with
> the firewall,

Well, you can get this very error if you follow the steps I explained here:

https://lists.debian.org/msgid-search/20160602225359.gb11...@cantor.unex.es

If you provide a recipe to get that very error with firewall rules,
I will believe that it may be firewall rules, but considering that
most people do not block outgoing ping (most people do not block
outgoing traffic at all), considering that we have a way to reproduce
the exact error, and following Occam's razor, lack of capability is
the most likely reason.

Thanks.

Re: make ping executable by normal users?

2016-06-06 Thread Reco 
Hi.

On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > Check your firewall rules.
> 
> It can't be firewall rules. Try this to block outgoing ping:
> 
> iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> 
> then try to ping anywhere. You will get a different error message,
> namely "Destination Port Unreachable".

But if you transform the rule in question a little, like this:

iptables -I OUTPUT -p icmp --icmp-type echo-request \
-j REJECT --reject-with icmp-admin-prohibited

ping will respond with 'Operation not permitted'. An exact wording of the
message seems to depend on actual ping implementation.

So, checking firewall rules is a valid advice. It's just this particular
problem happens due to lack of file capabilities.

Reco

Re: make ping executable by normal users?

2016-06-06 Thread Mark Fletcher 
On Mon, 6 Jun 2016 at 23:15, Santiago Vila  wrote:

> On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > Check your firewall rules.
>
> It can't be firewall rules. Try this to block outgoing ping:
>
> iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
>
> then try to ping anywhere. You will get a different error message,
> namely "Destination Port Unreachable".
>
> [ Why people do not read all messages in the thread before answering
>   is a mystery to me ].
>
> Thanks.
>
> No, that's not true, you definitely can get this very error due to
something to do with the firewall, maybe it's not able to resolve the ping
target rather than not able to reach the resulting host, I'm damned if I
can remember the specifics but I've definitely seen this happen on an lfs
box before and it was nothing to do with perms (as I said before, to your
point about people not reading the whole thread...)

Mark

Re: make ping executable by normal users?

2016-06-06 Thread Santiago Vila 
On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> Check your firewall rules.

It can't be firewall rules. Try this to block outgoing ping:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT

then try to ping anywhere. You will get a different error message,
namely "Destination Port Unreachable".

[ Why people do not read all messages in the thread before answering
  is a mystery to me ].

Thanks.

Re: make ping executable by normal users?

2016-06-05 Thread Norbert Kiszka 
Dnia 2016-06-06, pon o godzinie 10:06 +1200, Jan Bakuwel pisze:
> Hi Britton,
> 
> On 03/06/16 09:56, Britton Kerin wrote:
> > On my old debian system I could ping as a normal user.  The ping
> > binary had the suid bit set.  Now I get:
> >
> > $ ping www.google.com
> > ping: icmp open socket: Operation not permitted
> > 2 $
> >
> > presumably because the bit isn't set.
> >
> > What's the right fix?  I could setuid it but then if I understand
> > correctly it might get changed back by an upgrade.  Does it use
> > capabilites or something?
> 
> This is not you not being able to execute ping but ping not being able
> to ping.
> 
> Check your firewall rules.
> 
> cheers,
> Jan
> 

Yep. Give us result of: iptables -L

Re: make ping executable by normal users?

2016-06-05 Thread Jan Bakuwel 
Hi Britton,

On 03/06/16 09:56, Britton Kerin wrote:
> On my old debian system I could ping as a normal user.  The ping
> binary had the suid bit set.  Now I get:
>
> $ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 2 $
>
> presumably because the bit isn't set.
>
> What's the right fix?  I could setuid it but then if I understand
> correctly it might get changed back by an upgrade.  Does it use
> capabilites or something?

This is not you not being able to execute ping but ping not being able
to ping.

Check your firewall rules.

cheers,
Jan

Re: make ping executable by normal users?

2016-06-02 Thread Mark Fletcher 
On Fri, 3 Jun 2016 at 06:56, Britton Kerin  wrote:

> On my old debian system I could ping as a normal user.  The ping
> binary had the suid bit set.  Now I get:
>
> $ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 2 $
>
> presumably because the bit isn't set.
>
> What's the right fix?  I could setuid it but then if I understand
> correctly it might get changed back by an upgrade.  Does it use
> capabilites or something?
>
> Thanks,
> Britton
>
> Operation not permitted doesn't, contrary to appearances, automatically
mean a permissions problem. I recently built a Linux From Scratch machine
and at one point was getting that error when running ping as root. I'm now
wracking my brains to remember what the cause was.

Could you have a local firewall eg iptables that has accidentally blocked
ALL outgoing traffic? I think you can get this error if ping cannot connect
OUT of the box.

Does it happen if you run ping as root?

I've also seen this when the kernel didn't have all the right stuff
compiled in, but that's not likely to be it if you are using a Debian
kernel. Running strace on a ping attempt could diagnose that.

So check if it happens when you are root. If it does, check your internal
firewall (not your network's). If that is ok or switched off, try strace.

Mark

Re: make ping executable by normal users?

2016-06-02 Thread Santiago Vila 
On Thu, Jun 02, 2016 at 11:28:40PM +0100, Lisi Reisz wrote:

> So far as I can see, ping IS executable by normal users.  But then I have 
> only 
> got Wheezy and Jessie.  Are you using Stretch or Sid??

This is not really new in stretch. You can experiment this funny
effect in jessie as well. Try this on a jessie system:

cd /bin
mv ping ping.old
cp ping.old ping

Then ping will no longer work for an ordinary user because it lost its
"capability", that you can see with getcap this way:

getcap ping.old
getcap ping

It's a funny effect because you will never see the difference by just
doing "ls -l".

This capability may be lost, for example, if you use rsync to copy the root
filesystem to another partition with rsync and forget to use -X option.

Re: make ping executable by normal users?

2016-06-02 Thread Santiago Vila 
On Thu, Jun 02, 2016 at 01:56:08PM -0800, Britton Kerin wrote:
> On my old debian system I could ping as a normal user.  The ping
> binary had the suid bit set.  Now I get:
> 
> $ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 2 $
> 
> presumably because the bit isn't set.
> 
> What's the right fix?  I could setuid it but then if I understand
> correctly it might get changed back by an upgrade.  Does it use
> capabilites or something?

Yes, it uses capabilities. The simple fix is to do this:

dpkg-reconfigure iputils-ping

Re: make ping executable by normal users?

2016-06-02 Thread Lisi Reisz 
On Thursday 02 June 2016 22:56:08 Britton Kerin wrote:
> On my old debian system I could ping as a normal user.  The ping
> binary had the suid bit set.  Now I get:
>
> $ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 2 $
>
> presumably because the bit isn't set.
>
> What's the right fix?  I could setuid it but then if I understand
> correctly it might get changed back by an upgrade.  Does it use
> capabilites or something?

So far as I can see, ping IS executable by normal users.  But then I have only 
got Wheezy and Jessie.  Are you using Stretch or Sid??

Lisi

make ping executable by normal users?

2016-06-02 Thread Britton Kerin 
On my old debian system I could ping as a normal user.  The ping
binary had the suid bit set.  Now I get:

$ ping www.google.com
ping: icmp open socket: Operation not permitted
2 $

presumably because the bit isn't set.

What's the right fix?  I could setuid it but then if I understand
correctly it might get changed back by an upgrade.  Does it use
capabilites or something?

Thanks,
Britton