[SATLUG] Re: rpm -a --setugids; rpm -a --setperms;

Christopher Lemire christopher.lemire at gmail.com
Mon Dec 3 13:28:02 CST 2012


On Sat, Dec 1, 2012 at 3:36 PM, Christopher Lemire
<christopher.lemire at gmail.com> wrote:
> [bull:~]$ ls -l /usr/bin/ping
> -rwxr-xr-x. 1 root root 40912 Jan 25  2012 /usr/bin/ping
> [bull:~]$ sudo rpm --setugids iputils
> [sudo] password for bull:
> [bull:~]$ ping -c 2 google.com
> ping: icmp open socket: Operation not permitted
> [bull:~]$ sudo chmod u+s /usr/bin/ping
> [bull:~]$ ping -c 2 google.com
> PING google.com (74.125.227.97) 56(84) bytes of data.
> 64 bytes from dfw06s16-in-f1.1e100.net (74.125.227.97): icmp_req=1
> ttl=50 time=37.9 ms
> 64 bytes from dfw06s16-in-f1.1e100.net (74.125.227.97): icmp_req=2
> ttl=50 time=34.9 ms
>
> --- google.com ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 34.959/36.462/37.966/1.515 ms
> [bull:~]$
>
>
>
> rpm -a --setugids; rpm -a --setperms;
>
> These commands seem safe, right? rpm will look at each individual
> package and set permissions according to the rpm package says they
> should be. I ran these as advised for post upgrade of fedora (for me,
> 16 to 17). Then why after using this, 'su -' will fail to login as
> user as root because it is missing SUID, ping fails as unprivileged
> user, etc?
>
> My friend did a fresh installation of Fedora 17, not an upgrade. By
> default, his /usr/bin/ping did not have SUID and worked, but after he
> ran:
>
> rpm --setperms iputils
> rpm --setugids iputils
>
> His ping no longer worked, and SUID was not enabled as before.
>
>
> 1) I am looking for an explanation please.
>
> 2) Why did his (my friend) ping work without SUID the first time?
>
> 3) I ran this for the entire system. Now how am I going to fix it? If
> I knew the explanation why this is happening, but ping works on a
> fresh f17 install without SUID, I could probably find the solution.
> (Note: Even su -, missing the SUID will not and did not work with the
> correct root password, as well as many other files and permissions)
>
> This issue is not related to SELinux. I have it set to Permissive, so
> it is not causing the problems.
>
>
>
> Christopher Lemire <christopher.lemire at gmail.com>
> Ubuntu 64 bit Linux Raid Level 0
>
> Gnu Privacy Guard Key Fingerprint = 3E1A 9103 EF3D 4885 6866  E9DE
> C69F 18B3 E13B 0909
>
> Web: http://linuxinnovations.blogspot.com
> Jabber: recursivequicksort at jabber.org

I figured out the problem. Fedora uses capabilities instead of SUID /
SGID for security reasons.

[root at beastlinux ~]# getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
[root at beastlinux ~]#

If these capabilities are removed, then only root can ping or an
unprivileged user with SUID. I was getting confused because I was
looking at the permissions on my CentOS server, and SUID was set but
not in Fedora.

https://fedoraproject.org/wiki/Features/RemoveSETUID



Christopher Lemire <christopher.lemire at gmail.com>


More information about the SATLUG mailing list