Description of problem: File capabilities added in F15 for many apps needed setuid before F15 http://fedoraproject.org/wiki/Features/RemoveSETUID Version-Release number of selected component (if applicable): traceroute-2.0.17-2.fc15 traceroute not uses setuid but it needs root privileges for running with -I or -T options. $ traceroute -I fedoraproject.org You have no enough privileges to use this traceroute method. socket: Operation not permitted Adding capabilities 'setcap cap_net_raw+ep traceroute' makes it possible to use this options with traceroute-2.0.17 as usual user. Also can you please re-enable symlink /bin/tracert -> /bin/traceroute? tracert should work for unprivileged user same as -I traceroute option with cap_net_raw+ep enabled. Additional info: Capabilities can be set in %files: %attr(0755,root,root) %caps(cap_net_raw=ep) /bin/traceroute
Jiri, Could you please review this idea? Since the traceroute is a basic distro package, I would prefer to not perform such changes without an acknowledgement of some RedHat people. > Also can you please re-enable symlink /bin/tracert -> /bin/traceroute? This symlink was intended to help people come from windows, but I'm not sure whether it is a good idea. IMHO tracert is not just "traceroute -I", it can have some differencies in the output format, behaviour etc. I prefer to reflect other distros in this -- if they add such a link, then we follow them.
Hi Dmitry, I'm sorry I'm late with the answer. I wanted to discuss it with other people that weren't available last week. The conclusion from my point of view is closing it with the status 'wantfix'. Traceroute is more less a tool for admins. These people should have sufficient permission and responsibility to use it. So I see adding capabilities as s higher level of indolence with negative influence on security.
mtr is very similar to traceroute tool for admins and it is also in group of base packages. mtr have cap_net_raw+ep but traceroute don't.
@Jiri Skala your conclusion is completly wrong - you missed https://fedoraproject.org/wiki/Features/RemoveSETUID completly as well as https://en.wikipedia.org/wiki/Principle_of_least_privilege - just because something is a "tool for admins" it don't mean that it should run with full root permissions