706554 – Please add cap_net_raw+ep capabilities to /bin/traceroute

Bug 706554 - Please add cap_net_raw+ep capabilities to /bin/traceroute

Summary: Please add cap_net_raw+ep capabilities to /bin/traceroute

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	traceroute
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jiri Skala
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-20 22:23 UTC by nucleo
Modified:	2018-03-06 19:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-01 14:34:09 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description nucleo 2011-05-20 22:23:10 UTC

Description of problem:
File capabilities added in F15 for many apps needed setuid before F15
http://fedoraproject.org/wiki/Features/RemoveSETUID

Version-Release number of selected component (if applicable):
traceroute-2.0.17-2.fc15

traceroute not uses setuid but it needs root privileges for running with -I or -T options.

$ traceroute -I fedoraproject.org
You have no enough privileges to use this traceroute method.
socket: Operation not permitted

Adding capabilities 'setcap cap_net_raw+ep traceroute' makes it possible to use this options with traceroute-2.0.17 as usual user.

Also can you please re-enable symlink /bin/tracert -> /bin/traceroute?
tracert should work for unprivileged user same as -I traceroute option with cap_net_raw+ep enabled.

Additional info:
Capabilities can be set in %files:

%attr(0755,root,root) %caps(cap_net_raw=ep) /bin/traceroute

Comment 1 Dmitry Butskoy 2011-05-23 12:40:27 UTC

Jiri,

Could you please review this idea?
Since the traceroute is a basic distro package, I would prefer to not perform such changes without an acknowledgement of some RedHat people.

> Also can you please re-enable symlink /bin/tracert -> /bin/traceroute?
This symlink was intended to help people come from windows, but I'm not sure whether it is a good idea. IMHO tracert is not just "traceroute -I", it can have some differencies in the output format, behaviour etc. I prefer to reflect other distros in this -- if they add such a link, then we follow them.

Comment 2 Jiri Skala 2011-06-01 14:34:09 UTC

Hi Dmitry,
I'm sorry I'm late with the answer. I wanted to discuss it with other people that weren't available last week.

The conclusion from my point of view is closing it with the status 'wantfix'.

Traceroute is more less a tool for admins. These people should have sufficient permission and responsibility to use it. So I see adding capabilities as s higher level of indolence with negative influence on security.

Comment 3 nucleo 2011-06-02 23:41:47 UTC

mtr is very similar to traceroute tool for admins and it is also in group of base packages.
mtr have cap_net_raw+ep but traceroute don't.

Comment 4 Harald Reindl 2018-03-06 19:15:39 UTC

@Jiri Skala your conclusion is completly wrong - you missed https://fedoraproject.org/wiki/Features/RemoveSETUID completly as well as https://en.wikipedia.org/wiki/Principle_of_least_privilege - just because something is a "tool for admins" it don't mean that it should run with full root permissions

Note You need to log in before you can comment on or make changes to this bug.