Your message dated Mon, 10 Feb 2025 10:18:41 +0000
with message-id <[email protected]>
and subject line Re: smokeping: default config won't successfully ping
localhost due to fping permissions
has caused the Debian Bug report #1092930,
regarding smokeping: default config won't successfully ping localhost due to
fping permissions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1092930: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092930
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: smokeping
Version: 2.7.3-4.1
Severity: important
Hi folks,
Out of the box, smokeping is configured to use fping, and to ping
localhost by default.
This won't work without manual intervention because fping requires
privileges: it's not set suid, and the smokeping system service runs
as user:smokeping (since 2.7.3-2). Fping docs says it needs CAP_NET_RAW
(or the running GID to be in /proc/sys/net/ipv4/ping_group_range)
This worked by accident, I guess, in 2.7.3-1 when the service ran as
root. I'm not sure about earlier. I had a working install from an older
version (possibly 2.7.3-1) which has been broken since, and I've
reproduced the OOTB behaviour after a purge in preparing this bug
report.
At the very least, I think users should be given a clue about ways to
solve this themselves, but ideally, the default config would do
something useful OOTB.
If you add AmbientCapabilities=CAP_NET_RAW to the systemd unit, it can
invoke fping properly without being root.
--- End Message ---
--- Begin Message ---
Hi Gabriel,
Thanks for taking the time to dig into my problem!
On Sun Feb 9, 2025 at 7:07 PM GMT, Gabriel Filion wrote:
From what I can see in the VM, fping was already setup with
cap_net_raw directly on it:
snip
and if I understand correctly, it was set in place by fping's postinst
script:
https://sources.debian.org/src/fping/5.1-1/debian/postinst/#L9
Hmm! Thanks for the investigation. Since the fping package _should_ have
the capability set, it's reasonable for the smokeping package to assume
it is, and if there's any bug to fix it would therefore be in the fping
package.
By the version of the package in the report, I'm guessing your system is
running bookworm. Was your system upgraded from bullseye? I'm trying to
understand how you could end up without the capability set, this way we
can know more precisely what we could add to a file in
/usr/share/doc/smokeping/
Indeed I upgraded from bullseye and likely from buster before that. When
I first installed it (as a dependency of smokeping) things were working.
However I have migrated my root FS onto a different drive at least once
since then. It's possible I did not copy over file extended attributes,
which would have stripped the capabilities (they're not copied by "rsync
-a" which is my habitual mirror command). /bin/ping still has them, but
that package has been updated since I migrated the filesystem, which
might have restored the capabilities.
I don't think I can easily determine exactly what happened, but it's
quite likely I've inadvertently stripped fping's capabilities myself.
I'll therefore close this bug.
Best wishes,
--
👱🏻 Jonathan Dowland
✎ [email protected]
🔗 https://jmtd.net
--- End Message ---
