Thanks Noah. I was not sure if ping is using suid as in the past, or the capabilities.
You are of course right: root@debian:~# ls -l `which ping` -rwxr-xr-x 1 root root 77432 Aug 23 19:08 /usr/bin/ping root@debian:~# getcap `which ping` /usr/bin/ping cap_net_raw=ep root@debian:~# This looks like a limitation that would only be possible to solve by dpkg and extending tar / cpio probably. >From what I found it is possible to do this with tar and --xattrs-include='security.capability' when packing and unpacking. There is some hacky non-standard patches for cpio, https://github.com/initlove/cpio/commit/531cabc88e9ecdc3231fad6e4856869baa9a91ef , but afaik not upstreamed. And even more hacky support in kernel for initramfs uses: https://lists.gnu.org/archive/html/bug-cpio/2019-05/msg00001.html I didn't see any real updates on this topic, last one is from middle of 2019. I agree it is hard. Cheers. On Thu, 24 Sep 2020 at 02:51, Noah Meyerhans <no...@debian.org> wrote: > > Control: severity -1 minor > > > 1) ping is working > > 2) start apt dist-upgrade > > 3) at some point new ping stops working with ping: socket: Operation not > > permited > > for minutes. > > 4) apt dist-upgrade finishes > > 5) ping works again > > The ping process requires the ability to open a raw network socket, > which is a privileged operation. The ping binary contained within the > package is completely unprivileged, so when it's initially installed it > can only be executed by the root user or some other user that has > retained the cap_net_raw capability. Later in the installation process, > the package's post-install script tries to add the cap_net_raw > file-based capability to the binary as that's the safest (least > privileged) way to grant users the ability to run ping. If that fails, > probably because the system is configured with some unusual filesystem > that doesn't support file-based capabilities, then the script sets the > suid bit on the binary, granting unprivileged users the ability to run > ping with a slight reduction in the security posture. > > I'm not sure of a practical way to avoid this situation. If .deb files > could contain files with capabilities set on them, then this would > likely improve the situation for most users, but I believe it's still > the case that this isn't possible. > > You can see the script in question at > https://salsa.debian.org/debian/iputils/-/blob/master/debian/iputils-ping.postinst > > noah >
