[TriLUG] icmp as non-root (on Mandrake)

Tanner Lovelace clubjuggler at gmail.com
Tue Sep 28 08:53:51 EDT 2004


On 28 Sep 2004 00:15:46 -0400, Jon Carnes <jonc at nc.rr.com> wrote:
> ... and indeed if you look on systems where ping works:
> 
> $ ls -l /bin |grep ping
> -rwsr-xr-x    1 root     root        28628 Jan 24  2003 ping
> 
> ... and on Mandrake 10:
> 
> # ls -l /bin |grep ping
> -rwsr-xr-x  1 root root    22456 Jul 10  2003 fping*
> -rwxr-x---  1 root ntools  30860 Jul 28  2003 ping*
> 
> Interesting... Note that "fping" is set-uid root while ping will only
> work if you *are* root. Fping works fine as a user
> 
> If you want ping to work as a user then:
> chmod u+s /bin/ping
> 
> Of course I'm betting that MSEC will change it back unless you edit the
> file: /usr/share/msec/perm.<msec level>

Please don't edit these files.  Besides changing msecs idea of defaults,
you run the risk of having your modifications undone if you upgrade msec.
Instead, you can add it to your local perm.local file in
/etc/security/msec/perm.local.

If you do the command "grep ping /usr/share/msec/perm.?" you get this:

perm.0:/bin/ping                                        root.root     
         4755
perm.1:/bin/ping                                        root.root     
         4755
perm.2:/bin/ping                                        root.root     
         4755
perm.3:/bin/ping                                        root.root     
         4755
perm.4:/bin/ping                                        root.ntools   
         4750
perm.5:/bin/ping                                        root.ntools   
         4750

So, take the line from perm.[0123] and add that to /etc/security/msec/perm.local
if you really want to change it back.  

Alternatively, and a more secure option, would be to add the users you want
to be able to use ping, and other network tools, to the ntools group.  At higher
msec levels you can separate out privileges like that with groups.  There are
groups for network tools which include the use of programs like ping, finger,
ssh, telnet, w, who, and traceroute.  There is also a group for
compiler tools (ctools)
which limits the use of cc, gcc, g++, and access to /boot.  I would suggest
looking into this option before trying to modify file permissions. 
The permissions
were set that way for a good reason and you should think about the ramifications
of those reasons before just changing them back.

Note, btw, that you should also not edit any of the
/usr/share/msec/level.? files
either but put all local modifications into
/etc/security/msec/level.local.  You can learn
more about how msec works at http://www.mandrakesecure.net/en/docs/msec.php

Cheers,
Tanner



More information about the TriLUG mailing list