Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105
On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote: > The current version of iputils ping can handle IPv4 and IPv6 but > requires a crypto library dependency for ICMPv6 NI queries. > Add all possible choices: libgcrypt, nettle, openssl or none > > tracepath works with IPv4 as well as IPv6 and it does not have to run as > root. > traceroute6 only works with IPv6 and requires superuser privileges. > > Signed-off-by: Clemens GruberThanks, applied, Michael > --- > rules/iputils.in | 71 > +- > rules/iputils.make | 18 -- > 2 files changed, 55 insertions(+), 34 deletions(-) > > diff --git a/rules/iputils.in b/rules/iputils.in > index 99105f75f..769f2ceb2 100644 > --- a/rules/iputils.in > +++ b/rules/iputils.in > @@ -3,10 +3,11 @@ > menuconfig IPUTILS > tristate > prompt "iputils " > - select LIBC_RESOLV if IPUTILS_PING6 > - select LIBCAP if IPUTILS_ARPING || IPUTILS_PING || > IPUTILS_PING6 || IPUTILS_TRACEROUTE6 || IPUTILS_CLOCKDIFF > - select GNUTLS if IPUTILS_PING6 > - select GNUTLS_OPENSSL if IPUTILS_PING6 > + select LIBC_RESOLV if IPUTILS_PING > + select LIBCAP if IPUTILS_ARPING || IPUTILS_PING || > IPUTILS_TRACEROUTE6 || IPUTILS_CLOCKDIFF > + select LIBGCRYPTif IPUTILS_GCRYPT > + select NETTLE if IPUTILS_NETTLE > + select OPENSSL if IPUTILS_OPENSSL > help > The iputils package is set of small useful utilities for Linux > networking. > @@ -36,11 +37,10 @@ config IPUTILS_PING > depends on (!BUSYBOX_PING && !INETUTILS_PING) || ALLYES > prompt "ping" > help > - The ping command uses the ICMP protocol's mandatory ECHO_REQUEST > datagram > - to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST > - datagrams pings have an IP and ICMP header, followed by a struct > - timeval and then an arbitrary number of pad bytes used to fill out > - the packet. > + ping uses the ICMP protocols mandatory ECHO_REQUEST datagram to elicit > + an ICMP ECHO_RESPONSE from a host or gateway. > + It works with both IPv4 and IPv6. Using only one of them explicitly > can > + be enforced by specifying -4 or -6. > > comment "inetutils' ping is selected!" > depends on INETUTILS_PING > @@ -48,21 +48,38 @@ comment "inetutils' ping is selected!" > comment "BusyBox' ping is selected!" > depends on BUSYBOX_PING > > -config IPUTILS_PING6 > - bool > - depends on (!BUSYBOX_PING6 && !INETUTILS_PING6) || ALLYES > - prompt "ping6" > - depends on GLOBAL_IPV6 > +if GLOBAL_IPV6 > + > +choice > + prompt "crypto library to be used for ping -N" > + default IPUTILS_NOCRYPTO > + depends on IPUTILS_PING > help > - The ping6 command is IPv6 version of ping, and can also send Node > - Information Queries (RFC4620). Intermediate hops may not be allowed, > - because IPv6 source routing was deprecated (RFC5095). > + Selecting a crypto library is necessary for ping to support > + sending IPv6 Node Information Queries (RFC 4620). > + > + config IPUTILS_NOCRYPTO > + bool > + prompt "none" > + help > + No crypto library is used. This means that ping -N > + won't work. > + > + config IPUTILS_GCRYPT > + bool > + prompt "libgcrypt" > + > + config IPUTILS_NETTLE > + bool > + prompt "nettle" > > -comment "inetutils' ping6 is selected!" > -depends on INETUTILS_PING6 > + config IPUTILS_OPENSSL > + bool > + prompt "openssl" > > -comment "BusyBox' ping6 is selected!" > -depends on BUSYBOX_PING6 > +endchoice > + > +endif > > config IPUTILS_RARPD > bool > @@ -98,12 +115,9 @@ config IPUTILS_TRACEPATH > bool > prompt "tracepath" > help > - > -config IPUTILS_TRACEPATH6 > - bool > - prompt "tracepath6" > - depends on GLOBAL_IPV6 > - help > + tracepath traces the path to a network host discovering the MTU along > + this path. Because it uses UDP for tracing, it does not need superuser > + privileges like traceroute6. tracepath works for both IPv4 and IPv6. > > config IPUTILS_TRACEROUTE6 > bool > @@ -111,6 +125,9 @@ config IPUTILS_TRACEROUTE6 > prompt "traceroute6" > depends on GLOBAL_IPV6 > help > + traceroute6 tracks the route packets take from an IP network on their > + way to a given host. Supports UDP, ICMP and TCP for tracing and works > + for IPv6 only. > > comment "BusyBox' traceroute6 is selected!" > depends on BUSYBOX_TRACEROUTE6 > diff --git a/rules/iputils.make b/rules/iputils.make > index dc93d5cbb..9bd68fb45 100644 > ---
Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105
Hi, On Thu, Jan 26, 2017 at 11:47:11AM +0100, Marc Kleine-Budde wrote: > On 01/26/2017 11:40 AM, Michael Olbrich wrote: > > On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote: > >> On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote: > >>> The current version of iputils ping can handle IPv4 and IPv6 but > >>> requires a crypto library dependency for ICMPv6 NI queries. > >>> Add all possible choices: libgcrypt, nettle, openssl or none > >>> > >>> tracepath works with IPv4 as well as IPv6 and it does not have to run as > >>> root. > >>> traceroute6 only works with IPv6 and requires superuser privileges. > >> > >> on Debian traceroute6.iputils isn't setuid root and works for me. It has > >> caps set however: > >> > >>$ ls -l /usr/bin/traceroute6.iputils > >>-rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils > >> > >>$ /sbin/getcap /usr/bin/traceroute6.iputils > >>/usr/bin/traceroute6.iputils = cap_net_raw+ep > >> > >> Would that work here, too? > > > > In theory yes, but I think our image generation tools cannot handle this. > > mk2fs from e2fsprogs can generate images with extended attributed. I > used it to build imagea with ima/evm attributes. OK, but we should probably do this in a separate patch and maybe not only for traceroute6 but for all binaries for which ptxdist currently sets the setuid bit? (ping in inetutils, mtr, pppd, gst-ptp-helper in gstreamer1, ..) Thanks, Clemens ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105
On 01/26/2017 11:40 AM, Michael Olbrich wrote: > On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote: >> On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote: >>> The current version of iputils ping can handle IPv4 and IPv6 but >>> requires a crypto library dependency for ICMPv6 NI queries. >>> Add all possible choices: libgcrypt, nettle, openssl or none >>> >>> tracepath works with IPv4 as well as IPv6 and it does not have to run as >>> root. >>> traceroute6 only works with IPv6 and requires superuser privileges. >> >> on Debian traceroute6.iputils isn't setuid root and works for me. It has >> caps set however: >> >> $ ls -l /usr/bin/traceroute6.iputils >> -rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils >> >> $ /sbin/getcap /usr/bin/traceroute6.iputils >> /usr/bin/traceroute6.iputils = cap_net_raw+ep >> >> Would that work here, too? > > In theory yes, but I think our image generation tools cannot handle this. mk2fs from e2fsprogs can generate images with extended attributed. I used it to build imagea with ima/evm attributes. Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions| Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917- | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de | signature.asc Description: OpenPGP digital signature ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105
On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote: > On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote: > > The current version of iputils ping can handle IPv4 and IPv6 but > > requires a crypto library dependency for ICMPv6 NI queries. > > Add all possible choices: libgcrypt, nettle, openssl or none > > > > tracepath works with IPv4 as well as IPv6 and it does not have to run as > > root. > > traceroute6 only works with IPv6 and requires superuser privileges. > > on Debian traceroute6.iputils isn't setuid root and works for me. It has > caps set however: > > $ ls -l /usr/bin/traceroute6.iputils > -rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils > > $ /sbin/getcap /usr/bin/traceroute6.iputils > /usr/bin/traceroute6.iputils = cap_net_raw+ep > > Would that work here, too? In theory yes, but I think our image generation tools cannot handle this. Michael -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0| Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917- | ___ ptxdist mailing list ptxdist@pengutronix.de
Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105
Hello, On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote: > The current version of iputils ping can handle IPv4 and IPv6 but > requires a crypto library dependency for ICMPv6 NI queries. > Add all possible choices: libgcrypt, nettle, openssl or none > > tracepath works with IPv4 as well as IPv6 and it does not have to run as > root. > traceroute6 only works with IPv6 and requires superuser privileges. on Debian traceroute6.iputils isn't setuid root and works for me. It has caps set however: $ ls -l /usr/bin/traceroute6.iputils -rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils $ /sbin/getcap /usr/bin/traceroute6.iputils /usr/bin/traceroute6.iputils = cap_net_raw+ep Would that work here, too? Best regards Uwe -- Pengutronix e.K. | Uwe Kleine-König| Industrial Linux Solutions | http://www.pengutronix.de/ | ___ ptxdist mailing list ptxdist@pengutronix.de