Public bug reported: iputils-ping 3:20240905-1 removed the setcap from the binary, under the assumption that you don't need special privileges to open ICMP sockets (as introduced in 2011 in the kernel). However, that only is true if you have "net.ipv4.ping_group_range = 0 2147483647" (or similar) in sysctl.
So far, we didn't configure this variable in Ubuntu, resulting in the default value of "0 1", which only allows root to open those sockets. However, that could/should change with the latest merge of linux-base, which brought in linux-sysctl-defaults. That package ships /usr/lib/sysctl.d/50-defaults, which the following contents: ``` # System Request functionality of the kernel (SYNC) # # Use kernel.sysrq = 1 to allow all keys. # See https://docs.kernel.org/admin-guide/sysrq.html for a list # of values and keys. kernel.sysrq = 0x01b6 # Append the PID to the core filename kernel.core_uses_pid = 1 # Source route verification net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.*.rp_filter = 2 -net.ipv4.conf.all.rp_filter # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.*.accept_source_route = 0 -net.ipv4.conf.all.accept_source_route # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.*.promote_secondaries = 1 -net.ipv4.conf.all.promote_secondaries # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW # The upper limit is set to 2^31-1. Values greater than that get rejected by # the kernel because of this definition in linux/include/net/ping.h: # #define GID_T_MAX (((gid_t)~0U) >> 1) # That's not so bad because values between 2^31 and 2^32-1 are reserved on # systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary -net.ipv4.ping_group_range = 0 2147483647 # Fair Queue CoDel packet scheduler to fight bufferbloat -net.core.default_qdisc = fq_codel # Enable hard and soft link protection fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Enable regular file and FIFO protection fs.protected_regular = 2 fs.protected_fifos = 1 ``` That new package is already in systemd's Recommends (has been there since Oracular, see bug 2089759). In parallel, procps in Debian has removed /etc/sysctl.conf entirely, and now also Recommends linux-sysctl-defaults. To add to the fun, despite the systemd Recommends, linux-sysctl-defaults isn't part of the current plucky LXD images (built 2 days after that package was published in the release pocket). ** Affects: iputils (Ubuntu) Importance: Undecided Status: New ** Tags: update-excuse -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iputils in Ubuntu. https://bugs.launchpad.net/bugs/2089938 Title: iputils 3:20240905-1 doesn't work for unprivileged users Status in iputils package in Ubuntu: New Bug description: iputils-ping 3:20240905-1 removed the setcap from the binary, under the assumption that you don't need special privileges to open ICMP sockets (as introduced in 2011 in the kernel). However, that only is true if you have "net.ipv4.ping_group_range = 0 2147483647" (or similar) in sysctl. So far, we didn't configure this variable in Ubuntu, resulting in the default value of "0 1", which only allows root to open those sockets. However, that could/should change with the latest merge of linux-base, which brought in linux-sysctl-defaults. That package ships /usr/lib/sysctl.d/50-defaults, which the following contents: ``` # System Request functionality of the kernel (SYNC) # # Use kernel.sysrq = 1 to allow all keys. # See https://docs.kernel.org/admin-guide/sysrq.html for a list # of values and keys. kernel.sysrq = 0x01b6 # Append the PID to the core filename kernel.core_uses_pid = 1 # Source route verification net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.*.rp_filter = 2 -net.ipv4.conf.all.rp_filter # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.*.accept_source_route = 0 -net.ipv4.conf.all.accept_source_route # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.*.promote_secondaries = 1 -net.ipv4.conf.all.promote_secondaries # ping(8) without CAP_NET_ADMIN and CAP_NET_RAW # The upper limit is set to 2^31-1. Values greater than that get rejected by # the kernel because of this definition in linux/include/net/ping.h: # #define GID_T_MAX (((gid_t)~0U) >> 1) # That's not so bad because values between 2^31 and 2^32-1 are reserved on # systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary -net.ipv4.ping_group_range = 0 2147483647 # Fair Queue CoDel packet scheduler to fight bufferbloat -net.core.default_qdisc = fq_codel # Enable hard and soft link protection fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Enable regular file and FIFO protection fs.protected_regular = 2 fs.protected_fifos = 1 ``` That new package is already in systemd's Recommends (has been there since Oracular, see bug 2089759). In parallel, procps in Debian has removed /etc/sysctl.conf entirely, and now also Recommends linux-sysctl-defaults. To add to the fun, despite the systemd Recommends, linux-sysctl- defaults isn't part of the current plucky LXD images (built 2 days after that package was published in the release pocket). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/2089938/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
