Why /usr/sbin is not in my root $PATH ?

classic Classic list List threaded Threaded
72 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Thomas Schmitt
Hi,

i wrote:
> > "d/control: Drop Priority of libcap2"
> > https://salsa.debian.org/debian/libcap2/commit/5386335db24bfff5cc85bda69dbcda6ab2d7d20d

Reco wrote:
> Ah, that's what is was. That change made into the stable, I've just checked.

Not according to the package tracker:

oldstable has 1:2.24-8 of march 2015, i.e. before bug 780721.
  https://tracker.debian.org/media/packages/libc/libcap2/control-1%3A2.24-8
No particular Priority set on lbibcap2-bin

stable has 1:2.25-1 of october 2017, i.e. after bug 780721 went to sleep.
  https://tracker.debian.org/media/packages/libc/libcap2/control-1%3A2.25-1
libcap2-bin gets "Priority: important".

testing has 1:2.25-2 of february 2019.
  https://tracker.debian.org/media/packages/libc/libcap2/control-12.25-2
libcap2-bin still gets "Priority: important".
It was accepted in unstable at the very same day as the commit was made
which removed the particular Priority in the salsa git repo.
The package tracker's source browser says it is still in:
  https://sources.debian.org/src/libcap2/1:2.25-2/debian/control/#L17

But not to forget, the packages on the Debian mirrors get their priority
from the uploading procedure, not necessarily from the debian/control file
or the derived .dsc file.
All this forth and back might be independent of the maintainer of libcap2.


> Not every filesystem supported by Debian
> implements extended attributes needed for capabilities.
> Off the top of my head it's NFS and JFFS2.

It is about the filesystem which holds the /bin directory. I would deem it
extra-expert to use a partly incapable filesystem for that.

Whatever, the maintainer's reasoning was a then valid quote from the
policy manual

  "Packages must not depend on packages with lower priority values
   (excluding build-time dependencies). In order to ensure this, the
   priorities of one or more packages may need to be adjusted."

which is now replaced by a contrary statement

  "The priority of a package should
   not be increased merely because another higher-priority package depends
   on it; instead, the tools used to construct Debian installations will
   correctly handle package dependencies. In particular, this means that
   C-like libraries will almost never have a priority above optional [...]"

The issue of incapable systems was addressed in bug 780721 by maintainer:

  "The iputils-ping postinst script takes care to handle the case where
   setcap is either not available or not functional (due e.g. to running on
   a filesystem that doesn't support capabilities."

and bug reporter:

  "I'm aware we can't use capabilities on the non-Linux kernels yet, but
   since dpkg allows us to set dependencies per arch or per kernel, I don't
   see any particular problem adding libcap2-bin as to Depends for Linux."

It became not a decisive argument against dependency.


> Upgrading this particular dependency leads
> only to a dependency bloat, and Default Users™ (i.e. ones that are
> installing Recommends by default) aren't affected anyway.

Currently the Default User depends on assumptions about local package
management which are not obviously related to security. That's a future
pitfall which just needs its unintentional cover removed.

To skip a security improvement in order to save 111 kB of installed size
seems daring. (Size for amd64 taken from end of
  https://packages.debian.org/unstable/libcap2-bin
)
We can expect that the bug reporter, who is working on a colorful bunch
of elderly CPU arches, has a different idea of a Default User than us.
But shortage of memory and disk capacity surely belong to his considerations.


Have a nice day :)

Thomas

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Reco
On Fri, May 31, 2019 at 12:09:19PM +0200, Thomas Schmitt wrote:
> > Not every filesystem supported by Debian
> > implements extended attributes needed for capabilities.
> > Off the top of my head it's NFS and JFFS2.
>
> It is about the filesystem which holds the /bin directory. I would deem it
> extra-expert to use a partly incapable filesystem for that.

Please. NFS-for-root is decades old. JFFS2 is wildly popular for DIY solutions.
Calling everyone who bought $20 ARM board on AliExpress an 'expert'
seems overstretched.


> Whatever, the maintainer's reasoning was a then valid quote from the
> policy manual
...
> It became not a decisive argument against dependency.

It's really sad to see a maintainer who resorts to lawyering instead of
considering real technical limitations of the "solution" proposed.


> > Upgrading this particular dependency leads
> > only to a dependency bloat, and Default Users™ (i.e. ones that are
> > installing Recommends by default) aren't affected anyway.
>
> Currently the Default User depends on assumptions about local package
> management which are not obviously related to security.

So? The end result justifies a current situation.


> That's a future pitfall which just needs its unintentional cover removed.

The way I see it, the "problematic" package got that Important priority
already. A potential pitfall is closed.


> To skip a security improvement in order to save 111 kB of installed size
> seems daring. (Size for amd64 taken from end of
>   https://packages.debian.org/unstable/libcap2-bin
> )

Replacing a working fallback mechanism with one-size-fits-all "everyone
are using ext4 on amd64 and Linux" is hardly an improvement.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user

rhkramer
In reply to this post by Stefan Monnier
On Thursday, May 30, 2019 10:55:57 PM Stefan Monnier wrote:
> > $ getcap /bin/ping
> > /bin/ping = cap_net_raw+ep

I wanted to learn at least a little more about that, starting by looking back
at the original post that mentioned that.  I looked back about 10 posts but
couldn't find it  -- can you point me to the original post (and, in the future,
could you include the line that mentions when and who posted it (as the first
line in this post).

Aside: I saw some other posts in this thread that either didn't quote anything
or didn't properly attribute the quote -- I truly appreciate appropriate
snipping of quotes, and encourage that, but, on the other hand, I also
encourage quoting for context and proper attribution.

> BTW, if these caps are missing you can recover them with:
>
>     dpkg-reconfigure iputils-ping
>
>
> -- Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user

Pascal Hambourg-2
Le 31/05/2019 à 13:16, [hidden email] a écrit :
> On Thursday, May 30, 2019 10:55:57 PM Stefan Monnier wrote:
>>> $ getcap /bin/ping
>>> /bin/ping = cap_net_raw+ep
>
> I wanted to learn at least a little more about that, starting by looking back
> at the original post that mentioned that.  I looked back about 10 posts but
> couldn't find it  -- can you point me to the original post

3 posts back.

From: Andy Smith
Date: Thu, 30 May 2019 02:44:58 +0000
Message-ID: <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Thomas Schmitt
In reply to this post by Reco
Hi,

i wrote:
> > Currently the Default User depends on assumptions about local package
> > management which are not obviously related to security.
> > That's a future pitfall which just needs its unintentional cover removed.

Reco wrote:
> The way I see it, the "problematic" package got that Important priority
> already. A potential pitfall is closed.

The priority in debian/control (and thus .dsc) is scheduled on salsa to be
lowered to "optional" by the next package release.

Whatever, the priority is not the problem with security. The lack of
dependency of iputils-ping on libcap2-bin is the problem.
This lack was justified by policy as of 2016. Soon later the priority of
libcap2-bin was raised to "important", but iputils-ping never made use of
this move.


> Replacing a working fallback mechanism with one-size-fits-all "everyone
> are using ext4 on amd64 and Linux" is hardly an improvement.

The proposal in the bug report would not disable the fallback mechanism
for situations where it is needed. It would only make sure that capable
kernels and filesystems would be able use upstream improvements of iptools.

The installation code in
  https://sources.debian.org/src/iputils/3:20180629-2/debian/iputils-ping.postinst
adapts itself to effective success of an attempt to set capabilities:

    if command -v setcap > /dev/null; then
        if setcap cap_net_raw+ep /bin/ping; then
            chmod u-s /bin/ping
        else
            echo "Setcap failed on /bin/ping, falling back to setuid" >&2
            chmod u+s /bin/ping
        fi
    else
        echo "Setcap is not installed, falling back to setuid" >&2
        chmod u+s /bin/ping
    fi

Safe for Default Users.

My best theory for the problem reported in bug 780721 that a normal user
cannot ping, is that setuid was disabled by mount -o nosuid or -o owner
and that setcap did not work because of his sparse installation.


Have a nice day :)

Thomas

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Greg Wooledge
In reply to this post by Pascal Hambourg-2
On Fri, May 31, 2019 at 11:47:26AM +0200, Pascal Hambourg wrote:
> > https://wiki.debian.org/MergedUsr
>
> The wiki says this page does not exist yet.

It's actually <https://wiki.debian.org/UsrMerge>.

Reply | Threaded
Open this post in threaded view
|

Gmail problems (was Re: Ping as normal user)

rhkramer
In reply to this post by Pascal Hambourg-2
On Friday, May 31, 2019 07:26:54 AM Pascal Hambourg wrote:
> Le 31/05/2019 à 13:16, [hidden email] a écrit :
> > I wanted to learn at least a little more about that, starting by looking
> > back at the original post that mentioned that.  I looked back about 10
> > posts but couldn't find it  -- can you point me to the original post
>
> 3 posts back.

Thanks -- looks like google mail decided that was spam and didn't send it to
me (via their version of pop3).  I guess I have to learn more about google
mail, maybe either disabling their spam filter, or deciding to switch to an
email provider (ideally free or cheap) who doesn't filter email for me.  (I
guess when others mark something as spam, at least sometimes it affects me or
everybody -- very annoying.)

 
> From: Andy Smith
> Date: Thu, 30 May 2019 02:44:58 +0000
> Message-ID: <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Gmail problems (was Re: Ping as normal user)

mick crane
On 2019-05-31 14:01, [hidden email] wrote:
> I guess I have to learn more about google
> mail, maybe either disabling their spam filter, or deciding to switch
> to an
> email provider (ideally free or cheap) who doesn't filter email for me.
>  (I
> guess when others mark something as spam, at least sometimes it affects
> me or
> everybody -- very annoying.)
>
posteo.de has been mentioned if you don't mind using 100% green
electricity

mick
--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Jason-4
In reply to this post by andy smith-10
On Wed, May 29, 2019 at 11:46:50PM +0000, Andy Smith wrote:

> Hi Jason,
>
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> > On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > > While I didn't mention it in this thread, ping had indeed somehow lost
> > > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.
> >
> > That worked for me (I'm not the OP) with Stretch on an ARM board. Before
> > running the above command, I could only ping as root or using sudo, now
> > I can ping as a normal user. Thanks!
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
>
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.

This system was installed on an SBC (similar to RPi) from a zipped
filesystem image, dd'd to the onboard eMMC chip.

Thanks,
--
Jason

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

andy smith-10
Hello,

On Fri, May 31, 2019 at 08:48:36AM -0500, Jason wrote:
> On Wed, May 29, 2019 at 11:46:50PM +0000, Andy Smith wrote:
> > How did you install this system?

[…]

> > One other person in this thread said they used (a script which
> > ultimately uses) debootstrap.
>
> This system was installed on an SBC (similar to RPi) from a zipped
> filesystem image, dd'd to the onboard eMMC chip.

It sounds likely that something in that process failed to copy
across file capabilities. As previously mentioned, some care has to
be used with tar for example, if you want to (re)store these. So
that's something to be aware of I guess…

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Gmail problems (was Re: Ping as normal user)

Brian
In reply to this post by mick crane
On Fri 31 May 2019 at 14:33:42 +0100, mick crane wrote:

> On 2019-05-31 14:01, [hidden email] wrote:
> > I guess I have to learn more about google
> > mail, maybe either disabling their spam filter, or deciding to switch to
> > an
> > email provider (ideally free or cheap) who doesn't filter email for me.
> > (I
> > guess when others mark something as spam, at least sometimes it affects
> > me or
> > everybody -- very annoying.)
> >
> posteo.de has been mentioned if you don't mind using 100% green electricity

The mind boggles!

--
Brian.

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Andrei POPESCU-2
In reply to this post by Greg Wooledge
On Vi, 31 mai 19, 08:51:20, Greg Wooledge wrote:
> On Fri, May 31, 2019 at 11:47:26AM +0200, Pascal Hambourg wrote:
> > > https://wiki.debian.org/MergedUsr
> >
> > The wiki says this page does not exist yet.
>
> It's actually <https://wiki.debian.org/UsrMerge>.
 
Right, thanks (again) Greg for correcting my mistakes.

My current setup doesn't allow for easy copy-pasting so I wrote that by
hand and misremembered it :(

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

signature.asc (849 bytes) Download Attachment
1234