[Touch-packages] [Bug 1703649] Re: Traceroute needs net_admin capability for unknown reason
** Changed in: systemd (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1703649 Title: Traceroute needs net_admin capability for unknown reason Status in systemd package in Ubuntu: Invalid Status in traceroute package in Ubuntu: New Bug description: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1703649/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1703649] Re: Traceroute needs net_admin capability for unknown reason
How could I get comment from Systemd maintainers..? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1703649 Title: Traceroute needs net_admin capability for unknown reason Status in systemd package in Ubuntu: New Status in traceroute package in Ubuntu: New Bug description: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1703649/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1703649] Re: Traceroute needs net_admin capability for unknown reason
Added systemd because: # apt-cache show libnss-resolve | fgrep Source Source: systemd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1703649 Title: Traceroute needs net_admin capability for unknown reason Status in systemd package in Ubuntu: New Status in traceroute package in Ubuntu: New Bug description: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK without net_admin... Thanks! [0] https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 [1] https://sourceforge.net/p/traceroute/mailman/message/35927818/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1703649/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1703649] Re: Traceroute needs net_admin capability for unknown reason
Looks like culprit is libnss_resonve.so. First of all, to reproduce, I have to use hostname like google.com. If I give traceroute an IP address, there are no setsockopt calls that needs net_admin cap. Here's gdb log, breakpointed on setsockopt, dumped registers (you can see rdx set to "33" so that's one of SO_RCVBUFFORCE/SO_SNDBUFFORCE), and backtrace, that leads to /lib/x86_64-linux-gnu/libnss_resolve.so.2: Breakpoint 1 (setsockopt) pending. Starting program: /usr/sbin/traceroute -T google.com [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, setsockopt () at ../sysdeps/unix/syscall-template.S:84 84 ../sysdeps/unix/syscall-template.S: No such file or directory. rax0x34000 212992 rbx0x55ad9953abe0 94204090100704 rcx0x7ffc27aac6d0 140720973989584 rdx0x21 33 rsi0x1 1 rdi0x3 3 rbp0x7ffc27aac6d0 0x7ffc27aac6d0 rsp0x7ffc27aac6c8 0x7ffc27aac6c8 r8 0x4 4 r9 0x0 0 r100x7ffc27aac6d0 140720973989584 r110x202514 r120x3 3 r130x7ffc27aac6d4 140720973989588 r140x7ffc27aac760 140720973989728 r150x55ad9953abe0 94204090100704 rip0x7f057a78a320 0x7f057a78a320 eflags 0x293[ CF AF SF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 #0 setsockopt () at ../sysdeps/unix/syscall-template.S:84 #1 0x7f057af2cd43 in ?? () from /lib/x86_64-linux-gnu/libnss_resolve.so.2 #2 0x7f057af1ccd5 in ?? () from /lib/x86_64-linux-gnu/libnss_resolve.so.2 #3 0x7f057af46f02 in ?? () from /lib/x86_64-linux-gnu/libnss_resolve.so.2 #4 0x7f057af2287d in _nss_resolve_gethostbyname4_r () from /lib/x86_64-linux-gnu/libnss_resolve.so.2 #5 0x7f057a76e16f in gaih_inet (name=name@entry=0x7ffc27aae76e "google.com", service=, req=req@entry=0x7ffc27aad400, pai=pai@entry=0x7ffc27aacf28, naddrs=naddrs@entry=0x7ffc27aacf24, tmpbuf=tmpbuf@entry=0x7ffc27aacf90) at ../sysdeps/posix/getaddrinfo.c:848 #6 0x7f057a770448 in __GI_getaddrinfo (name=, service=, hints=0x7ffc27aad400, pai=0x7ffc27aad3f8) at ../sysdeps/posix/getaddrinfo.c:2391 #7 0x55ad9791e326 in ?? () #8 0x55ad9791e4b3 in ?? () #9 0x55ad97921cae in ?? () #10 0x55ad9791a7d1 in ?? () #11 0x7f057a6a13f1 in __libc_start_main (main=0x55ad9791a700, argc=3, argv=0x7ffc27aad888, init=, fini=, rtld_fini=, stack_end=0x7ffc27aad878) at ../csu/libc-start.c:291 #12 0x55ad9791b3fa in ?? () ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1703649 Title: Traceroute needs net_admin capability for unknown reason Status in systemd package in Ubuntu: New Status in traceroute package in Ubuntu: New Bug description: With help of AppArmor on 17.04 and 17.10 I've discovered that traceroute needs net_admin capabilities. My plan is to update [0] AppArmor profile to fix various DENIED messages in syslog/audit for traceroute, though I am not sure about allowing, or denying, net_admin capability. Looks like traceroute tries to set SO_RCVBUFFORCE and SO_SNDBUFFORCE: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) What is interesting, that traceroute developer does not recall changing these values [1]. On Debian Sid and OpenSuse Tumbleweed this issue does not reproduce either. Could it be some Ubuntu-specific patch in the works? It seems that traceroute works OK
