retitle 458723 traceroute provides tcptraceroute alternative while not setuid root reassign 458723 traceroute affects 458723 gnome-nettool found 458723 2.0.13-4 thanks
On Tue, Apr 29, 2008 at 11:20:43PM +0200, Sven Arvidsson wrote: > On Wed, 2008-01-02 at 14:00 +0100, Ralph Aichinger wrote: > > When I start gnome-nettool as a normal user, and try to use the > > traceroute tab, the following happens: Trace button turns red, > > status bar looks as if the program does something, and then nothing. > > No error message whatsoever. > > > > Only when I start gnome-nettool from a terminal I get the following > > message in the terminal: > > > > The specified type of tracerouting is allowed for superuser only > > > > Most users using gnome-nettool will not start it from the terminal > > and will therefore be confused. > > > > *And* there are ways of tracerouting that normal users are allowed > > to do. Why are these not used? > > The error message actually comes from tcptraceroute. > > gnome-nettool can use either tcptraceroute or traceroute, but prefers > the first one. When tcptraceroute is installed, everything works fine as the binary is setuid (as mentionned by https://bugzilla.gnome.org/show_bug.cgi?id=582848#c1 ). However, when tcptraceroute is *not* installed, traceroute provides a tcptraceroute alternative, with different features and interface. lrwxrwxrwx 1 root root 25 fév 27 19:28 /etc/alternatives/tcptraceroute -> /usr/bin/tcptraceroute.db lrwxrwxrwx 1 root root 31 fév 22 2009 /usr/bin/tcptraceroute -> /etc/alternatives/tcptraceroute -rwxr-xr-x 1 root root 1476 jun 20 2008 /usr/bin/tcptraceroute.db dpkg -S /usr/bin/tcptraceroute.db traceroute: /usr/bin/tcptraceroute.db But this shell wrapper use -T option to use TCP SYN for probes (opts="-T"), while traceroute binary is *not* setuid. -rwxr-xr-x 1 root root 41008 jun 20 2008 /usr/bin/traceroute.db As a consequence, without tcptraceroute package, we get: /usr/bin/tcptraceroute -q 2 -m 40 194.109.137.218 The specified type of tracerouting is allowed for superuser only For consistency, I'd vote for setting traceroute setuid (2nd option: stop providing tcptraceroute alternative with traceroute). -- Simon Paillard -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
