[Bug 1588917] Re: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability
I think it should be up to the user to decide whether to enable this by setting the net.ipv4.ping_group_range sysctl. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588917 Title: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1588917/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588917] Re: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability
I believe that section of the kernel code has had three user->ring0 vulnerabilities so far. It might be worth waiting a bit longer before enabling its use by default. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588917 Title: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1588917/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588917] Re: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability
** Changed in: iputils (Ubuntu) Status: New => Triaged ** Changed in: iputils (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588917 Title: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1588917/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1588917] Re: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability
** Description changed: The latest version of iputils have the option of using SOCK_DGRAM packets instead of SOCK_RAW, provided that the net.ipv4.ping_group_range sysctl is set to a different value. This helps a lot with security in -not just- Linux containers by dropping support for the NET_RAW capability. Also, the ubuntu-minimal packages should not include this package as a hard dependency in case I want to uninstall iputils-ping to substitute it for another package like oping which just works if I turn off the setuid bit. + + This would help a lot with secure Linux containers with no NET_RAW + capabilities. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1588917 Title: Upgrade ping to latest version that doesn't require SUID or NET_RAW capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/1588917/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs