Bug 706554

Summary: Please add cap_net_raw+ep capabilities to /bin/traceroute
Product: [Fedora] Fedora Reporter: nucleo <alekcejk>
Component: tracerouteAssignee: Jiri Skala <jskala>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: aglotov, dmitry, h.reindl, jskala
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-01 14:34:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nucleo 2011-05-20 22:23:10 UTC 
Description of problem:
File capabilities added in F15 for many apps needed setuid before F15
http://fedoraproject.org/wiki/Features/RemoveSETUID

Version-Release number of selected component (if applicable):
traceroute-2.0.17-2.fc15

traceroute not uses setuid but it needs root privileges for running with -I or -T options.

$ traceroute -I fedoraproject.org
You have no enough privileges to use this traceroute method.
socket: Operation not permitted

Adding capabilities 'setcap cap_net_raw+ep traceroute' makes it possible to use this options with traceroute-2.0.17 as usual user.

Also can you please re-enable symlink /bin/tracert -> /bin/traceroute?
tracert should work for unprivileged user same as -I traceroute option with cap_net_raw+ep enabled.

Additional info:
Capabilities can be set in %files:

%attr(0755,root,root) %caps(cap_net_raw=ep) /bin/traceroute
Comment 1 Dmitry Butskoy 2011-05-23 12:40:27 UTC 
Jiri,

Could you please review this idea?
Since the traceroute is a basic distro package, I would prefer to not perform such changes without an acknowledgement of some RedHat people.

> Also can you please re-enable symlink /bin/tracert -> /bin/traceroute?
This symlink was intended to help people come from windows, but I'm not sure whether it is a good idea. IMHO tracert is not just "traceroute -I", it can have some differencies in the output format, behaviour etc. I prefer to reflect other distros in this -- if they add such a link, then we follow them.
Comment 2 Jiri Skala 2011-06-01 14:34:09 UTC 
Hi Dmitry,
I'm sorry I'm late with the answer. I wanted to discuss it with other people that weren't available last week.

The conclusion from my point of view is closing it with the status 'wantfix'.

Traceroute is more less a tool for admins. These people should have sufficient permission and responsibility to use it. So I see adding capabilities as s higher level of indolence with negative influence on security.
Comment 3 nucleo 2011-06-02 23:41:47 UTC 
mtr is very similar to traceroute tool for admins and it is also in group of base packages.
mtr have cap_net_raw+ep but traceroute don't.
Comment 4 Harald Reindl 2018-03-06 19:15:39 UTC 
@Jiri Skala your conclusion is completly wrong - you missed https://fedoraproject.org/wiki/Features/RemoveSETUID completly as well as https://en.wikipedia.org/wiki/Principle_of_least_privilege - just because something is a "tool for admins" it don't mean that it should run with full root permissions