1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.DPKG

  • Bug#970827: ping: socket: Operation not permitted while apt dist-upgrad

    From Chris Hofstaedtler@1:229/2 to Guillem Jover on Sun Feb 23 23:30:01 2025
    XPost: linux.debian.bugs.dist
    From: [email protected]

    Hi,

    On Sat, Feb 05, 2022 at 02:02:23PM +0100, Guillem Jover wrote:
    On Fri, 2022-02-04 at 19:35:10 -0800, Noah Meyerhans wrote:
    root@debian:~# ls -l `which ping`
    -rwxr-xr-x 1 root root 77432 Aug 23 19:08 /usr/bin/ping
    root@debian:~# getcap `which ping`
    /usr/bin/ping cap_net_raw=ep

    This looks like a limitation that would only be possible to solve by
    dpkg and extending tar / cpio probably.

    From what I found it is possible to do this with tar and --xattrs-include='security.capability' when packing and unpacking.

    Ping requires elevated privileges in order to open its ICMP network sockets. The postinst script attempts to set a file-based cap_net_raw capability on the binary after installation, and falls back to setuid in case that fails (usually due to missing filesystem support for file capabilities). This workflow is racy, however, as there's a period of
    time when the file exists on disk but has not had any privilege
    acquisition mechanism applied to it. During this period of time, unprivileged users cannot run this program, when otherwise they could. Elimination of this race situation would likely require the ability for dpkg to initially create files with additional file-based capabilities.

    So, implementing this in dpkg, would require at least the upcoming
    metadata tracking support <https://wiki.debian.org/Teams/Dpkg/Spec/MetadataTracking>, which is currently blocked. Another approach to get similar results would be
    just having support in dpkg-statoverride (tracked in #502580).

    I've blocked 827479 and 1098773 on this bug; they request file
    capabilities (instead of setuid root) on newgrp and newuidmap,
    newgidmap.

    I don't really want to play postinst games in their respective
    packages, except if really necessary.

    But a way to implement this more reliably already in iputils would be
    to ship the file in the .deb as set-UID-root (so that it always can
    work), and apply the POSIX capabilities and remove the set-UID-root
    bit in the maintscript if the system supports the former.

    (I've seen this, but still. Would be a lot better without a
    postinst.)

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)