diff mbox series

[03/20] /usr/bin/ping does not need a SUID bit if appropriate capabilities are set

Message ID 4924bc88-655d-2a81-96de-000a7362bece@ipfire.org
State Accepted
Commit e4c3bcc7eed6e25feec39e94f96b83f61b2834ae
Headers
Series Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle |

Commit Message

Peter Müller May 17, 2021, 7:01 p.m. UTC 
  Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/iputils | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/lfs/iputils b/lfs/iputils
index b1e2e2216..ae692df7a 100644
--- a/lfs/iputils
+++ b/lfs/iputils
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -71,9 +71,12 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && make ping tracepath
-	cd $(DIR_APP) && install -m 4755 ping /usr/bin
+	cd $(DIR_APP) && install -m 0755 ping /usr/bin
 	cd $(DIR_APP) && install -m 0755 tracepath /usr/bin
 
+	# Allow execution of /usr/bin/ping by other users than "root"
+	setcap cap_net_raw+ep /usr/bin/ping
+
 	# Some scripts expect ping in /bin/ping.
 	ln -svf ../usr/bin/ping /bin/ping