Bug 1699497

Summary: ping/ping6/traceroute/traceroute6 should be utterly unprivileged
Product: [Fedora] Fedora Reporter: Maciej Żenczykowski <zenczykowski>
Component: iputilsAssignee: Jan Synacek <jsynacek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: jaskalnik, jsynacek, ruben
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-02 09:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maciej Żenczykowski 2019-04-12 23:24:48 UTC 
All it takes is setting /proc/sys/net/ipv4/ping_group_range to:
  0 2147483647
and ping/traceroute should no longer require any privs.

# echo '0 2147483647' > /proc/sys/net/ipv4/ping_group_range

# su - maze
Last login: Tue Mar  5 20:48:48 PST 2019 on pts/0

$ cp /usr/bin/ping ./ping

$ ./ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.026 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.034 ms
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 44ms
rtt min/avg/max/mdev = 0.026/0.030/0.034/0.004 ms

$ cp /usr/bin/traceroute ./traceroute

$ ./traceroute 127.0.0.1
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 60 byte packets
 1  localhost (127.0.0.1)  0.024 ms  0.008 ms  0.006 ms
Comment 1 Ben Cotton 2019-08-13 19:27:49 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.
Comment 2 Ruben Kerkhof 2020-01-28 09:39:23 UTC 
The sysctl change has been implemented by https://bugzilla.redhat.com/show_bug.cgi?id=1740809, but ping still has cap_net_raw and cap_net_admin capabilities.
Jan, can you remove these from the spec file?
Comment 3 Ben Cotton 2020-02-11 15:40:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 4 Jan Synacek 2020-03-02 09:15:45 UTC 
https://src.fedoraproject.org/rpms/iputils/c/84948e9f8ffacd36875356f920533497a9d20e18?branch=master