On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote: > On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote: > > "Michael W. Lucas" <mwlu...@michaelwlucas.com> writes: > > > > > Hi, > > > > Hi, > > > > > Running the 12/12 snapshot, amd64. > > > > > > I'm setting up the looking glass CGI included with httpd. Requests for > > > ping and traceroute fail. > > > > > > Per bgplg(8), I've set mode 4555 on the static binaries: > > > > > > ls -lai /var/www/bin/ > > > total 1844 > > > 77958 drwxr-xr-x 2 root daemon 512 Dec 11 17:47 . > > > 77956 drwxr-xr-x 15 root daemon 512 Dec 12 15:35 .. > > > 77959 -r-xr-xr-x 1 root bin 256240 Dec 8 12:09 bgpctl > > > 77978 -rwxr-xr-x 1 root bin 273200 Dec 8 15:36 femail > > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping > > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping6 > > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute > > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute6 > > > > > > Ping and traceroute run fine as root. As an unprivileged user, though, > > > I get: > > > > > > ./ping 8.8.8.8 > > > ping: socket: Permission denied > > > > > > $ ./traceroute 8.8.8.8 > > > traceroute: unable to revoke privs: Operation not permitted > > > > > > Any suggestions? Or have I found a bug? > > > > Is the partition that holds /var/www/bin mounted "nosuid"? > > (Replying mostly for the archives.) > > Yes, /var is mounted nosuid. > > bgplg(8) has lovely detailed instructions on how to set it up, > including setting the suid bit, but don't mention that detail. >
And, for the sake of completeness, it should mention that detail. Does the attached wording sound right? Reyk Index: usr.bin/bgplg/bgplg.8 =================================================================== RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v retrieving revision 1.15 diff -u -p -u -p -r1.15 bgplg.8 --- usr.bin/bgplg/bgplg.8 10 Sep 2015 15:16:44 -0000 1.15 +++ usr.bin/bgplg/bgplg.8 14 Dec 2016 13:53:14 -0000 @@ -153,6 +153,12 @@ To enable the corresponding functionalit .Xr chmod 1 utility to manually set the file permission mode to 0555 or anything appropriate. +Some of these executables need the set-user-ID bit; +enabling them requires to mount the filesystem of +.Pa /var/www +without the +.Ic nosuid +option. .Pp .Bl -tag -width "/var/www/bin/traceroute6XX" -compact .It Pa /var/www/cgi-bin/bgplg
