Bug#1086014: newpid: autopkgtest failures caused by ping no longer being installed with CAP_NET_RAW

Thu, 24 Oct 2024 18:27:15 -0700 

Source: newpid
Version: 13
Severity: important
Tags: ftbfs patch

As of version 3:20240905-1 of iputils, ping is no longer installed with
CAP_NET_RAW or setuid root permissions.  Instead, it relies on the
net.ipv4.ping_group_range sysctl to grant non-root users the ability to use
it.  This change is impacting the newpid check-newnet tests as invoked by
autopkgtest, which create new network namespaces that don't grant
unprivileged users the ability to run ping.

If the newpid invocations in the tests run as root, that will fix the issue.
That may not be the ideal solution in all cases, but it does resolve the
issue when run with autopkgtest.  See the attached patch for one possible
implementation of this change.

For background on the iputils change, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008281

noah

-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.11+bpo-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

>From 60728458dabc3415b59230fad7738ab2dbea8d64 Mon Sep 17 00:00:00 2001
From: Noah Meyerhans <fr...@morgul.net>
Date: Thu, 24 Oct 2024 18:42:51 -0400
Subject: [PATCH] Fix unprivileged ping execution in autopkgtest

---
 debian/tests/control | 3 ++-
 test/Makefile        | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/debian/tests/control b/debian/tests/control
index 13b5c56..94d417c 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,3 +1,4 @@
 Depends: @, iputils-ping
-Test-Command: make check
+Test-Command: make check ROOTCMD=sudo
 Features: test-name=check
+Restrictions: needs-sudo
diff --git a/test/Makefile b/test/Makefile
index 5bd3082..79714f5 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -11,8 +11,8 @@ check-zombie:
 check-newnet:
        # remove time/rtt output for reproducibility
        # iputils-ping 3:20190515-2 added a "ping: " prefix in front of errors, 
remove it for compatibility
-       ( newpid -n ping -q -c 1 -n 127.0.0.1 2>&1 | sed -e 
's/\(time\|rtt\).*//'; \
-         newpid -n ping -q -c 1 -n 192.0.2.1 2>&1 | sed -e 's/^ping: //' \
+       ( $(ROOTCMD) newpid -n ping -q -c 1 -n 127.0.0.1 2>&1 | sed -e 
's/\(time\|rtt\).*//'; \
+         $(ROOTCMD) newpid -n ping -q -c 1 -n 192.0.2.1 2>&1 | sed -e 
's/^ping: //' \
        ) | tee newnet.out
        diff -u newnet.expected newnet.out
 
-- 
2.39.5

Reply via email to