On Wed, Mar 18, 2015 at 12:12:48PM +0100, John Paul Adrian Glaubitz wrote: > The new version of iputils in Jessie uses capabilities instead of set-uid > to gain the necessary priviliges to send ICMP requests. While this is a > great improvement with regards to security, it currently may lead to > rendering the ping and arping commands unusable for non-root users.
iputils-ping, as priority "important", cannot declare a dependency on
libcap2-bin, which is priority "optional". Thus, the Recommends
relationship. It is perfectly valid to run system with iputils-ping
installed and setcap2-bin not installed, with no loss of functionality.
The iputils-ping postinst script takes care to handle the case where
setcap is either not available or not functional (due e.g. to running on
a filesystem that doesn't support capabilities. In such a case, it falls
back to setting the setuid bit on the binary, which allows non-root
users to run the program. The code in question:
if command -v setcap > /dev/null; then
if setcap cap_net_raw+ep /bin/ping cap_net_raw+ep /bin/ping6; then
echo "Setcap worked! Ping(6) is not suid!"
else
echo "Setcap failed on /bin/ping, falling back to setuid" >&2
If this isn't working for you, you'll need to send some more details
about your system. The output from the postinst script may be helpful
(even though it shouldn't actually be there; see Bug #757433)
noah
signature.asc
Description: Digital signature
