On Wed, Dec 14, 2016 at 03:14:51PM +0100, Jeremie Courreges-Anglas wrote: > Reyk Floeter <r...@openbsd.org> writes: > > > On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote: > >> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote: > >> > "Michael W. Lucas" <mwlu...@michaelwlucas.com> writes: > >> > > >> > > Hi, > >> > > >> > Hi, > >> > > >> > > Running the 12/12 snapshot, amd64. > >> > > > >> > > I'm setting up the looking glass CGI included with httpd. Requests for > >> > > ping and traceroute fail. > >> > > > >> > > Per bgplg(8), I've set mode 4555 on the static binaries: > >> > > > >> > > ls -lai /var/www/bin/ > >> > > total 1844 > >> > > 77958 drwxr-xr-x 2 root daemon 512 Dec 11 17:47 . > >> > > 77956 drwxr-xr-x 15 root daemon 512 Dec 12 15:35 .. > >> > > 77959 -r-xr-xr-x 1 root bin 256240 Dec 8 12:09 bgpctl > >> > > 77978 -rwxr-xr-x 1 root bin 273200 Dec 8 15:36 femail > >> > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping > >> > > 77960 -r-sr-xr-x 2 root bin 318320 Dec 8 12:09 ping6 > >> > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute > >> > > 77961 -r-sr-xr-x 2 root bin 281168 Dec 8 12:09 traceroute6 > >> > > > >> > > Ping and traceroute run fine as root. As an unprivileged user, though, > >> > > I get: > >> > > > >> > > ./ping 8.8.8.8 > >> > > ping: socket: Permission denied > >> > > > >> > > $ ./traceroute 8.8.8.8 > >> > > traceroute: unable to revoke privs: Operation not permitted > >> > > > >> > > Any suggestions? Or have I found a bug? > >> > > >> > Is the partition that holds /var/www/bin mounted "nosuid"? > >> > >> (Replying mostly for the archives.) > >> > >> Yes, /var is mounted nosuid. > >> > >> bgplg(8) has lovely detailed instructions on how to set it up, > >> including setting the suid bit, but don't mention that detail. > >> > > > > And, for the sake of completeness, it should mention that detail. > > Agreed, Michael isn't the first one to stumble upon this. > > > Does the attached wording sound right? > > Looks better than the diff I had, ok jca@ >
Thanks, I committed it with a tweak from jmc@ > > Reyk > > > > Index: usr.bin/bgplg/bgplg.8 > > =================================================================== > > RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v > > retrieving revision 1.15 > > diff -u -p -u -p -r1.15 bgplg.8 > > --- usr.bin/bgplg/bgplg.8 10 Sep 2015 15:16:44 -0000 1.15 > > +++ usr.bin/bgplg/bgplg.8 14 Dec 2016 13:53:14 -0000 > > @@ -153,6 +153,12 @@ To enable the corresponding functionalit > > .Xr chmod 1 > > utility to manually set the file permission mode to 0555 or anything > > appropriate. > > +Some of these executables need the set-user-ID bit; > > +enabling them requires to mount the filesystem of > > +.Pa /var/www > > +without the > > +.Ic nosuid > > +option. > > .Pp > > .Bl -tag -width "/var/www/bin/traceroute6XX" -compact > > .It Pa /var/www/cgi-bin/bgplg > > > > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
