Hi, On Mon, Jan 02, 2023 at 12:01:54PM -0800, Noah Meyerhans wrote: > See bug #1008281 for context. [1] > > The proposal is to install /usr/lib/sysctl.d/iputils-ping.conf with the > following content: > net.ipv4.ping_group_range="0 2147483647" > > With that in place, unprivileged users are able to excute ping for both > IPv4 and IPv6 targets without cap_net_raw (currently set as either a > file-based attribute on the ping binary or acquired via setuid). But > since that applies system-wide, not just to the ping binary, there may > be objections.
As much as I like unprivileged operation, I think this change may expand privileges beyond what we expect. At present, ping limits an unprivileged user to a minimum spacing of 2ms and prevents a flood ping. Of course a user can just run multiple ping processes in parallel to overcome this limitation. I'm posting this, because I think this argument as been missed in the discussion. I consider this argument to be vaguely weak and not significantly affecting the course of action. Helmut
