Bug 1174504

Thanks for the idea, we'll have a look. Might take a while since is not high on our priorities list

(In reply to Andreas.Stieger@gmx.de from comment #0)
> ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor
> of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are
> enabled via sysctl ping_group_range (net.ipv4.ping_group_range
> /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well)
[...]
> If reviewed okay, ship the sysctl preset to allow interactive users by
> default, and update iputils and fping to remove the capability (and others).
> iputils has had this support for a while, fping since 4.3.

Security wise the ICMP_PROTO sockets would be better. Currently we have:

- capability to create SOCK_RAW which allows the ping/fping programs to do
  pretty much everything on raw socket level.

With ICMP_PROTO sockets we would have:

- only processes with certain group IDs are granted permission to create these
  sockets
- only ICMP ECHO requests can be sent and nothing else

I only see a problem in the group configuration in ping_group_range. Currently
everybody in the system is allowed to ping. Pinging other hosts is a pretty
common operation also in scripts and system daemons. So how can we sensibly
select a safe and compatible range of group IDs for this?

In the simplest case we'd simply allow everybody to open ICMP_PROTO sockets
and would still be safer than with the current capability solution.

I think allowing all groups to ping would be the sensible choice here. Finding a subset would be difficult and we wouldn't gain much here

I tested the approach using protocol IPPROTO_ICMP and removing capabilities
from ping and fping. It all looks good. Therefore, as a first step, I've
created a PR [1] for aaa_base to set this sysctl setting by default.

[1]: https://github.com/openSUSE/aaa_base/pull/77

Once that change hits factory what remains to do is removing capabilities from
permissions and the %set_permissions and %verify_permissions invocations from
iputils and fping.

Maybe such a change should also be highlighted somewhere documentation wise?

This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/833187 Factory / aaa_base

The change has now been accepted to aaa_base. Once the new aaa_base package is
available in Factory I will test the change once again and remove the
capability bits from permissions and the related packages.

Seems the change is incorrect (wrong quoting)?

Sep 15 19:02:01 localhost systemd-sysctl[1021]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument

(In reply to André Werlang from comment #7)
> Seems the change is incorrect (wrong quoting)?

It appears, you're right, without quotes, it behaves fine:

$ sysctl -p /usr/lib/sysctl.d/50-default.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
net.ipv6.conf.default.use_tempaddr = 1
net.ipv4.ping_group_range = 0 2147483647
fs.inotify.max_user_watches = 65536
kernel.sysrq = 184
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 1

(In reply to beppe85@gmail.com from comment #7)
> Seems the change is incorrect (wrong quoting)?
> 
> Sep 15 19:02:01 localhost systemd-sysctl[1021]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument

Strange, I could have sworn that I tested this before I created the PR. It
looks like sysctl passes on the quotes to the pseudo file, resulting in the
EINVAL error.

Thank you for reporting this. I will create a follow-up PR to fix this.

I made the change to /usr/lib/sysctl.d/50-default.conf, and most of the errors stopped.  However, I still get these two lines:

Sep 16 16:13:04 Mobile-PC systemd[1]: Failed to start Apply Kernel Variables.
Sep 16 16:13:04 Mobile-PC systemd-sysctl[222]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument

Is there another file that contains that improperly formatted line?

Thanks,
Gene

(In reply to Gene Snider from comment #10)
> I made the change to /usr/lib/sysctl.d/50-default.conf, and most of the
> errors stopped.  However, I still get these two lines:
> 
> Sep 16 16:13:04 Mobile-PC systemd[1]: Failed to start Apply Kernel Variables.
> Sep 16 16:13:04 Mobile-PC systemd-sysctl[222]: Couldn't write '"0
> 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument
> 
> Is there another file that contains that improperly formatted line?

Run mkinitrd

Thanks, that finished the fix.

Gene

The bug that slipped is fixed by now in Factory/Tumbleweed.

I will now prepare submissions for permissions (removal of capability bits)
and iputils and fping (removal of %set_permissions macros & co.).

Thanks for addressing this. I prepared PR for iputils (ping)
https://github.com/openSUSE/permissions/pull/99

This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/840211 Factory / permissions

Current Tumbleweed ships ping without capabilities, the permissions entries
are gone, the ICMP_PROTO sockets work by default. The fping submission to
remove the permissions invocation is still pending but will be accepted
eventually I guess.

Closing this bug as fixed.

the submissin of aaa_base contains:

+- Add patch git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
+  * sysctl.d/50-default.conf:
+    allow everybody to create IPPROTO_ICMP sockets (bsc#1174504)
+- Add patch git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
+  * sysctl.d/50-default.conf: fix ping_group_range syntax error


is this really good?

ah i see, it just fixes matthias enablement. sorry for the noise.

This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions

We at QE-SAP need to know whether this change is to be documented somewhere before approving the update because it changes a sysctl that is tracked by SAP in internal tests.

openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1

openSUSE-SU-2021:3899-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1

SUSE-SU-2021:3899-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE MicroOS 5.0 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server for SAP 15 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Enterprise Storage 6 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE CaaS Platform 4.0 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2021:1544-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    aaa_base-84.87+git20180409.04c9dae-lp152.14.10.1

openSUSE-SU-2021:4192-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1174504
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20181225-23.9.1

SUSE-SU-2021:4192-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1174504
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    permissions-20181225-23.9.1
SUSE MicroOS 5.0 (src):    permissions-20181225-23.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    permissions-20181225-23.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    permissions-20181225-23.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.