On Fri, Oct 18, 2024 at 07:48:43PM +0200, Paul Gevers wrote: > Hi Noah, > > On 18-10-2024 19:43, Noah Meyerhans wrote: > > In bookworm and earlier, ping uses CAP_NET_RAW file capabilities in > > order to obtain permission to transmit ICMP. The version in trixie and > > later no longer sets file based capabilities, instead relying on the > > net.ipv4.ping_group_range sysctl. This is a system-wide configuration, > > not controlled by ping. The default value, as set by the > > linux-sysctl-defaults package in trixe+ and listed as a Recommends by > > iputils-ping, grants permission for unprivileged users to run ping. > > > > Based on the above, I don't see this as a bug in ping, but rather an > > issue with the particular environment in which it's being executed. My > > recommendation is to ensure that you've got the sysctl value set > > appropriately as from > > https://salsa.debian.org/kernel-team/linux-base/-/blob/master/sysctl.d/50-default.conf?ref_type=heads#L39-45 > > I don't follow from the above how the test can be flagged as a regression > between unstable and testing then. The test in trixie passes, while if fails > with binaries from unstable. Did the change you refer to above really > already happened in trixie?
No, sorry, I thought the change had already propagated. But it turns out that this issue is blocking it because of the impact to backuppc and some others. Apologies for not noticing this already. > As we currently test with lxc, do these settings really need to be set on > the host, or should the test set them in the testbed? The sysctl is namespaced, so it should suffice to set it in the testbed container. noah
