Bug 1174504 - AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW
AUDIT-0: allow ping and ICMP commands without CAP_NET_RAW
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-26 18:12 UTC by Andreas Stieger
Modified: 2022-07-13 17:34 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2020-07-26 18:12:51 UTC
ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are enabled via sysctl ping_group_range (net.ipv4.ping_group_range /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well) and are supported since 3.0 and 3.11 for IPv6.

https://github.com/torvalds/linux/commit/c319b4d76b9e583a5d88d6bf190e079c4e43213d#diff-5b536a7a92abed603bbb4caa61613270R57

This would remove the need for RAW socket access while allowing users to do the same thing they can do now. 

iputils:
/usr/bin/ping = cap_net_raw+p
/usr/bin/ping6 -> /usr/bin/ping

https://github.com/openSUSE/permissions/blob/master/profiles/permissions.secure#L141-L142

fping:
/usr/sbin/fping = cap_net_raw+ep

https://github.com/openSUSE/permissions/blob/master/profiles/permissions.secure#L341-L343

Last touched via bug 1047921 AUDIT-0: fping: possibly allow users to run non-disruptive options

User-mode traceroute -I would start working.

If reviewed okay, ship the sysctl preset to allow interactive users by default, and update iputils and fping to remove the capability (and others). iputils has had this support for a while, fping since 4.3.
Comment 1 Johannes Segitz 2020-07-27 07:18:20 UTC
Thanks for the idea, we'll have a look. Might take a while since is not high on our priorities list
Comment 2 Matthias Gerstner 2020-07-27 11:53:56 UTC
(In reply to Andreas.Stieger@gmx.de from comment #0)
> ping tools currently ship with CAP_NET_RAW. Consider dropping this in favor
> of using ICMP_PROTO sockets (a.k.a. dgram icmp, "ping sockets"). These are
> enabled via sysctl ping_group_range (net.ipv4.ping_group_range
> /proc/sys/net/ipv4/ping_group_range - covering IPv6 as well)
[...]
> If reviewed okay, ship the sysctl preset to allow interactive users by
> default, and update iputils and fping to remove the capability (and others).
> iputils has had this support for a while, fping since 4.3.

Security wise the ICMP_PROTO sockets would be better. Currently we have:

- capability to create SOCK_RAW which allows the ping/fping programs to do
  pretty much everything on raw socket level.

With ICMP_PROTO sockets we would have:

- only processes with certain group IDs are granted permission to create these
  sockets
- only ICMP ECHO requests can be sent and nothing else

I only see a problem in the group configuration in ping_group_range. Currently
everybody in the system is allowed to ping. Pinging other hosts is a pretty
common operation also in scripts and system daemons. So how can we sensibly
select a safe and compatible range of group IDs for this?

In the simplest case we'd simply allow everybody to open ICMP_PROTO sockets
and would still be safer than with the current capability solution.
Comment 3 Johannes Segitz 2020-07-27 12:58:56 UTC
I think allowing all groups to ping would be the sensible choice here. Finding a subset would be difficult and we wouldn't gain much here
Comment 4 Matthias Gerstner 2020-07-31 10:24:43 UTC
I tested the approach using protocol IPPROTO_ICMP and removing capabilities
from ping and fping. It all looks good. Therefore, as a first step, I've
created a PR [1] for aaa_base to set this sysctl setting by default.

[1]: https://github.com/openSUSE/aaa_base/pull/77

Once that change hits factory what remains to do is removing capabilities from
permissions and the %set_permissions and %verify_permissions invocations from
iputils and fping.

Maybe such a change should also be highlighted somewhere documentation wise?
Comment 5 OBSbugzilla Bot 2020-09-09 07:30:10 UTC
This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/833187 Factory / aaa_base
Comment 6 Matthias Gerstner 2020-09-09 10:15:31 UTC
The change has now been accepted to aaa_base. Once the new aaa_base package is
available in Factory I will test the change once again and remove the
capability bits from permissions and the related packages.
Comment 7 André Werlang 2020-09-15 17:40:11 UTC
Seems the change is incorrect (wrong quoting)?

Sep 15 19:02:01 localhost systemd-sysctl[1021]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument
Comment 8 Hans-Peter Jansen 2020-09-16 04:17:50 UTC
(In reply to André Werlang from comment #7)
> Seems the change is incorrect (wrong quoting)?

It appears, you're right, without quotes, it behaves fine:

$ sysctl -p /usr/lib/sysctl.d/50-default.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
net.ipv6.conf.default.use_tempaddr = 1
net.ipv4.ping_group_range = 0 2147483647
fs.inotify.max_user_watches = 65536
kernel.sysrq = 184
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 1
Comment 9 Matthias Gerstner 2020-09-16 07:22:29 UTC
(In reply to beppe85@gmail.com from comment #7)
> Seems the change is incorrect (wrong quoting)?
> 
> Sep 15 19:02:01 localhost systemd-sysctl[1021]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument

Strange, I could have sworn that I tested this before I created the PR. It
looks like sysctl passes on the quotes to the pseudo file, resulting in the
EINVAL error.

Thank you for reporting this. I will create a follow-up PR to fix this.
Comment 10 Gene Snider 2020-09-16 23:36:26 UTC
I made the change to /usr/lib/sysctl.d/50-default.conf, and most of the errors stopped.  However, I still get these two lines:

Sep 16 16:13:04 Mobile-PC systemd[1]: Failed to start Apply Kernel Variables.
Sep 16 16:13:04 Mobile-PC systemd-sysctl[222]: Couldn't write '"0 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument

Is there another file that contains that improperly formatted line?

Thanks,
Gene
Comment 11 Hans-Peter Jansen 2020-09-17 05:41:52 UTC
(In reply to Gene Snider from comment #10)
> I made the change to /usr/lib/sysctl.d/50-default.conf, and most of the
> errors stopped.  However, I still get these two lines:
> 
> Sep 16 16:13:04 Mobile-PC systemd[1]: Failed to start Apply Kernel Variables.
> Sep 16 16:13:04 Mobile-PC systemd-sysctl[222]: Couldn't write '"0
> 2147483647"' to 'net/ipv4/ping_group_range': Invalid argument
> 
> Is there another file that contains that improperly formatted line?

Run mkinitrd
Comment 12 Gene Snider 2020-09-17 18:57:34 UTC
Thanks, that finished the fix.

Gene
Comment 13 Matthias Gerstner 2020-10-07 12:13:57 UTC
The bug that slipped is fixed by now in Factory/Tumbleweed.

I will now prepare submissions for permissions (removal of capability bits)
and iputils and fping (removal of %set_permissions macros & co.).
Comment 14 Petr Vorel 2020-10-07 13:05:03 UTC
Thanks for addressing this. I prepared PR for iputils (ping)
https://github.com/openSUSE/permissions/pull/99
Comment 15 OBSbugzilla Bot 2020-10-08 10:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/840211 Factory / permissions
Comment 16 Matthias Gerstner 2020-10-21 09:35:23 UTC
Current Tumbleweed ships ping without capabilities, the permissions entries
are gone, the ICMP_PROTO sockets work by default. The fping submission to
remove the permissions invocation is still pending but will be accepted
eventually I guess.

Closing this bug as fixed.
Comment 20 Marcus Meissner 2021-11-08 08:21:23 UTC
the submissin of aaa_base contains:

+- Add patch git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
+  * sysctl.d/50-default.conf:
+    allow everybody to create IPPROTO_ICMP sockets (bsc#1174504)
+- Add patch git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
+  * sysctl.d/50-default.conf: fix ping_group_range syntax error


is this really good?
Comment 21 Marcus Meissner 2021-11-08 08:22:43 UTC
ah i see, it just fixes matthias enablement. sorry for the noise.
Comment 22 OBSbugzilla Bot 2021-11-17 15:42:16 UTC
This is an autogenerated message for OBS integration:
This bug (1174504) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions
Comment 24 Ricardo Branco 2021-11-18 14:21:01 UTC
We at QE-SAP need to know whether this change is to be documented somewhere before approving the update because it changes a sysctl that is tracked by SAP in internal tests.
Comment 33 Swamp Workflow Management 2021-12-02 20:20:44 UTC
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1
Comment 34 Swamp Workflow Management 2021-12-03 15:12:30 UTC
openSUSE-SU-2021:3899-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
Comment 35 Swamp Workflow Management 2021-12-03 15:15:46 UTC
SUSE-SU-2021:3899-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE MicroOS 5.0 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server for SAP 15 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Server 15-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE Enterprise Storage 6 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1
SUSE CaaS Platform 4.0 (src):    aaa_base-84.87+git20180409.04c9dae-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2021-12-06 18:07:11 UTC
openSUSE-SU-2021:1544-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1162581,1174504,1191563,1192248
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    aaa_base-84.87+git20180409.04c9dae-lp152.14.10.1
Comment 38 Swamp Workflow Management 2021-12-28 14:17:36 UTC
openSUSE-SU-2021:4192-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1174504
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20181225-23.9.1
Comment 39 Swamp Workflow Management 2021-12-28 14:18:52 UTC
SUSE-SU-2021:4192-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1174504
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    permissions-20181225-23.9.1
SUSE MicroOS 5.0 (src):    permissions-20181225-23.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    permissions-20181225-23.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    permissions-20181225-23.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.