Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105

2017-03-10 Thread Michael Olbrich 
On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote:
> The current version of iputils ping can handle IPv4 and IPv6 but
> requires a crypto library dependency for ICMPv6 NI queries.
> Add all possible choices: libgcrypt, nettle, openssl or none
> 
> tracepath works with IPv4 as well as IPv6 and it does not have to run as
> root.
> traceroute6 only works with IPv6 and requires superuser privileges.
> 
> Signed-off-by: Clemens Gruber 

Thanks, applied,

Michael

> ---
>  rules/iputils.in   | 71 
> +-
>  rules/iputils.make | 18 --
>  2 files changed, 55 insertions(+), 34 deletions(-)
> 
> diff --git a/rules/iputils.in b/rules/iputils.in
> index 99105f75f..769f2ceb2 100644
> --- a/rules/iputils.in
> +++ b/rules/iputils.in
> @@ -3,10 +3,11 @@
>  menuconfig IPUTILS
>   tristate
>   prompt "iputils   "
> - select LIBC_RESOLV  if IPUTILS_PING6
> - select LIBCAP   if IPUTILS_ARPING || IPUTILS_PING || 
> IPUTILS_PING6 || IPUTILS_TRACEROUTE6 || IPUTILS_CLOCKDIFF
> - select GNUTLS   if IPUTILS_PING6
> - select GNUTLS_OPENSSL   if IPUTILS_PING6
> + select LIBC_RESOLV  if IPUTILS_PING
> + select LIBCAP   if IPUTILS_ARPING || IPUTILS_PING || 
> IPUTILS_TRACEROUTE6 || IPUTILS_CLOCKDIFF
> + select LIBGCRYPTif IPUTILS_GCRYPT
> + select NETTLE   if IPUTILS_NETTLE
> + select OPENSSL  if IPUTILS_OPENSSL
>   help
> The iputils package is set of small useful utilities for Linux
> networking.
> @@ -36,11 +37,10 @@ config IPUTILS_PING
>   depends on (!BUSYBOX_PING && !INETUTILS_PING) || ALLYES
>   prompt "ping"
>   help
> -   The ping command uses the ICMP protocol's mandatory ECHO_REQUEST 
> datagram
> -   to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST
> -   datagrams pings have an IP and ICMP header, followed by a struct
> -   timeval and then an arbitrary number of pad bytes used to fill out
> -   the packet.
> +   ping uses the ICMP protocols mandatory ECHO_REQUEST datagram to elicit
> +   an ICMP ECHO_RESPONSE from a host or gateway.
> +   It works with both IPv4 and IPv6. Using only one of them explicitly 
> can
> +   be enforced by specifying -4 or -6.
>  
>  comment "inetutils' ping is selected!"
>  depends on INETUTILS_PING
> @@ -48,21 +48,38 @@ comment "inetutils' ping is selected!"
>  comment "BusyBox' ping is selected!"
>  depends on BUSYBOX_PING
>  
> -config IPUTILS_PING6
> - bool
> - depends on (!BUSYBOX_PING6 && !INETUTILS_PING6) || ALLYES
> - prompt "ping6"
> - depends on GLOBAL_IPV6
> +if GLOBAL_IPV6
> +
> +choice
> + prompt "crypto library to be used for ping -N"
> + default IPUTILS_NOCRYPTO
> + depends on IPUTILS_PING
>   help
> -   The ping6 command is IPv6 version of ping, and can also send Node
> -   Information Queries (RFC4620). Intermediate hops may not be allowed,
> -   because IPv6 source routing was deprecated (RFC5095).
> +   Selecting a crypto library is necessary for ping to support
> +   sending IPv6 Node Information Queries (RFC 4620).
> +
> + config IPUTILS_NOCRYPTO
> + bool
> + prompt "none"
> + help
> +   No crypto library is used. This means that ping -N
> +   won't work.
> +
> + config IPUTILS_GCRYPT
> + bool
> + prompt "libgcrypt"
> +
> + config IPUTILS_NETTLE
> + bool
> + prompt "nettle"
>  
> -comment "inetutils' ping6 is selected!"
> -depends on INETUTILS_PING6
> + config IPUTILS_OPENSSL
> + bool
> + prompt "openssl"
>  
> -comment "BusyBox' ping6 is selected!"
> -depends on BUSYBOX_PING6
> +endchoice
> +
> +endif
>  
>  config IPUTILS_RARPD
>   bool
> @@ -98,12 +115,9 @@ config IPUTILS_TRACEPATH
>   bool
>   prompt "tracepath"
>   help
> -
> -config IPUTILS_TRACEPATH6
> - bool
> - prompt "tracepath6"
> - depends on GLOBAL_IPV6
> - help
> +   tracepath traces the path to a network host discovering the MTU along
> +   this path. Because it uses UDP for tracing, it does not need superuser
> +   privileges like traceroute6. tracepath works for both IPv4 and IPv6.
>  
>  config IPUTILS_TRACEROUTE6
>   bool
> @@ -111,6 +125,9 @@ config IPUTILS_TRACEROUTE6
>   prompt "traceroute6"
>   depends on GLOBAL_IPV6
>   help
> +   traceroute6 tracks the route packets take from an IP network on their
> +   way to a given host. Supports UDP, ICMP and TCP for tracing and works
> +   for IPv6 only.
>  
>  comment "BusyBox' traceroute6 is selected!"
>  depends on BUSYBOX_TRACEROUTE6
> diff --git a/rules/iputils.make b/rules/iputils.make
> index dc93d5cbb..9bd68fb45 100644
> ---

Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105

2017-01-28 Thread Clemens Gruber 
Hi,

On Thu, Jan 26, 2017 at 11:47:11AM +0100, Marc Kleine-Budde wrote:
> On 01/26/2017 11:40 AM, Michael Olbrich wrote:
> > On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote:
> >> On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote:
> >>> The current version of iputils ping can handle IPv4 and IPv6 but
> >>> requires a crypto library dependency for ICMPv6 NI queries.
> >>> Add all possible choices: libgcrypt, nettle, openssl or none
> >>>
> >>> tracepath works with IPv4 as well as IPv6 and it does not have to run as
> >>> root.
> >>> traceroute6 only works with IPv6 and requires superuser privileges.
> >>
> >> on Debian traceroute6.iputils isn't setuid root and works for me. It has
> >> caps set however:
> >>
> >>$ ls -l /usr/bin/traceroute6.iputils
> >>-rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils
> >>
> >>$ /sbin/getcap /usr/bin/traceroute6.iputils
> >>/usr/bin/traceroute6.iputils = cap_net_raw+ep
> >>
> >> Would that work here, too?
> > 
> > In theory yes, but I think our image generation tools cannot handle this.
> 
> mk2fs from e2fsprogs can generate images with extended attributed. I
> used it to build imagea with ima/evm attributes.

OK, but we should probably do this in a separate patch and maybe not
only for traceroute6 but for all binaries for which ptxdist currently sets
the setuid bit?
(ping in inetutils, mtr, pppd, gst-ptp-helper in gstreamer1, ..)

Thanks,
Clemens

___
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105

2017-01-26 Thread Marc Kleine-Budde 
On 01/26/2017 11:40 AM, Michael Olbrich wrote:
> On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote:
>> On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote:
>>> The current version of iputils ping can handle IPv4 and IPv6 but
>>> requires a crypto library dependency for ICMPv6 NI queries.
>>> Add all possible choices: libgcrypt, nettle, openssl or none
>>>
>>> tracepath works with IPv4 as well as IPv6 and it does not have to run as
>>> root.
>>> traceroute6 only works with IPv6 and requires superuser privileges.
>>
>> on Debian traceroute6.iputils isn't setuid root and works for me. It has
>> caps set however:
>>
>>  $ ls -l /usr/bin/traceroute6.iputils
>>  -rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils
>>
>>  $ /sbin/getcap /usr/bin/traceroute6.iputils
>>  /usr/bin/traceroute6.iputils = cap_net_raw+ep
>>
>> Would that work here, too?
> 
> In theory yes, but I think our image generation tools cannot handle this.

mk2fs from e2fsprogs can generate images with extended attributed. I
used it to build imagea with ima/evm attributes.

Marc

-- 
Pengutronix e.K.  | Marc Kleine-Budde   |
Industrial Linux Solutions| Phone: +49-231-2826-924 |
Vertretung West/Dortmund  | Fax:   +49-5121-206917- |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |



signature.asc
Description: OpenPGP digital signature
___
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105

2017-01-26 Thread Michael Olbrich 
On Wed, Jan 25, 2017 at 07:41:42AM +0100, Uwe Kleine-König wrote:
> On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote:
> > The current version of iputils ping can handle IPv4 and IPv6 but
> > requires a crypto library dependency for ICMPv6 NI queries.
> > Add all possible choices: libgcrypt, nettle, openssl or none
> > 
> > tracepath works with IPv4 as well as IPv6 and it does not have to run as
> > root.
> > traceroute6 only works with IPv6 and requires superuser privileges.
> 
> on Debian traceroute6.iputils isn't setuid root and works for me. It has
> caps set however:
> 
>   $ ls -l /usr/bin/traceroute6.iputils
>   -rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils
> 
>   $ /sbin/getcap /usr/bin/traceroute6.iputils
>   /usr/bin/traceroute6.iputils = cap_net_raw+ep
> 
> Would that work here, too?

In theory yes, but I think our image generation tools cannot handle this.

Michael

-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |

___
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v2] iputils: update s20121221 -> s20161105

2017-01-24 Thread Uwe Kleine-König 
Hello,

On Wed, Jan 25, 2017 at 12:13:59AM +0100, Clemens Gruber wrote:
> The current version of iputils ping can handle IPv4 and IPv6 but
> requires a crypto library dependency for ICMPv6 NI queries.
> Add all possible choices: libgcrypt, nettle, openssl or none
> 
> tracepath works with IPv4 as well as IPv6 and it does not have to run as
> root.
> traceroute6 only works with IPv6 and requires superuser privileges.

on Debian traceroute6.iputils isn't setuid root and works for me. It has
caps set however:

$ ls -l /usr/bin/traceroute6.iputils
-rwxr-xr-x 1 root root 18936 Nov 10 07:23 /usr/bin/traceroute6.iputils

$ /sbin/getcap /usr/bin/traceroute6.iputils
/usr/bin/traceroute6.iputils = cap_net_raw+ep

Would that work here, too?

Best regards
Uwe

-- 
Pengutronix e.K.   | Uwe Kleine-König|
Industrial Linux Solutions | http://www.pengutronix.de/  |

___
ptxdist mailing list
ptxdist@pengutronix.de