On May 11, 2017 1:49:05 AM GMT+02:00, Adam Carter <adamcart...@gmail.com> wrote: >I want to allow some fairly well trusted users the ablilty to do traces >with icmp. I can give them sudo, but how high is the risk of making >traceroute suid root? AFAIK making text editors or anything that has an >ability to run shell commands suid root is effectively giving them root >access, but other than exploiting vulnerabilities in traceroute itself, >are >there any other issues?
You should be able to do this with capabilities. Presumably the capability needed is CAP_NET_RAW, therefore something like this should do the trick: setcap 'CAP_NET_RAW=+ep' `which traceroute`
