Bug 759146

Summary: With nfs root, ping fails for non-root user.
Product: [Fedora] Fedora Reporter: Ian Dall <ian>
Component: iputilsAssignee: Jiri Skala <jskala>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: aglotov, jskala, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-02 11:57:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ian Dall 2011-12-01 14:20:50 UTC 
Description of problem:
On a system with nfs root, ping fails unless the user is root.

Version-Release number of selected component (if applicable):

iputils-20101006-11.fc16

How reproducible:

Always

Steps to Reproduce:
1.Create a system with nfs root. (Alternatively nfs mount root to somewhere convenient)
2.As a non-privileged user, run /bin/ping <remote. (or <alternate root>/bin/ping <remote>) 

  
Actual results:

$ ping fs
ping: icmp open socket: Operation not permitted

Expected results:

successful ping 

Additional info:

Running on the nfs client:

 # rpm -V iputils
........P    /bin/ping
........P    /bin/ping6

shows that the capabilities of /bin/ping have changed. However on the nfs server if I chroot to the exported root and run rpm -V it passes.

Also (on the nfs client):
 # getcap /bin/ping
Failed to get capabilities of file `/bin/ping' (Operation not supported)

The server is Fedora 14. It seems that nfs does not support file capabilities and so the switch from suid ping to file capability cap_net_raw+ep breaks nfs root configurations.
Comment 1 Jiri Skala 2011-12-02 11:57:56 UTC 
This is easy reproducible and there is not necessary to have nfs root. It's enough to have e.g. ping binary using file capability in exported directory. I guess NFS really doesn't support file capability.

There is nothing to do from iputils point of view. This means iputils will not set suid by default. You can use setting suid manually as a workaround.

I've added Steven Grubb to CC. He could put more details here.
Comment 2 Ian Dall 2011-12-03 04:41:12 UTC 
"NOTABUG"? I filed it here because it is the change to the iputils packaging which caused the lossage. "CANTFIX" or "WONTFIX" or re-attribute to nfs seems appropriate. "NOTABUG" implies "works as expected" which I don't think is the case.