remove SUID and add CAP_NET_RAW instead on Fedora 15 and newer (rhbz#646466)

allow -f option for non-root on Fedora 15 and newer remove read permissions on binaries for Fedora 14 and older
14 years ago · 29242ef7a2
parent df418b7209
commit 29242ef7a2
2 changed files with 89 additions and 5 deletions
--- a/fping-2.4b2_to-ipv6-capnetraw.patch
+++ b/fping-2.4b2_to-ipv6-capnetraw.patch
@ -0,0 +1,64 @@
+diff -up fping-2.4b2_to-ipv6/fping.8.capnetraw fping-2.4b2_to-ipv6/fping.8
+--- fping-2.4b2_to-ipv6/fping.8.capnetraw	2002-01-20 20:05:48.000000000 -0500
+++ fping-2.4b2_to-ipv6/fping.8	2011-09-04 16:14:03.782482153 -0400
+@@ -88,10 +88,7 @@ fping a list of IP addresses as input an
+ .IP \fB-e\fR 5
+ Show elapsed (round-trip) time of packets.
+ .IP \fB-f\fR 5
+-Read list of targets from a file.  This option can only be used by the
+-root user.  Regular users should pipe in the file via stdin:
+-
+-% fping < targets_file
+Read list of targets from a file.
+ 
+ .IP \fB-g\fR 5
+ Generate a target list from a supplied IP netmask, or a starting and ending IP.
+@@ -203,11 +200,9 @@ command line arguments, and 4 for a syst
+ Ha! If we knew of any we would have fixed them!
+ .SH RESTRICTIONS
+ If certain options are used (i.e, a low value for -i and -t, and a 
+-high value for -r) it is possible to flood the network. This program
+-must be installed as setuid root in order to open up a raw socket,
+-or must be run by root. In order to stop mere mortals from hosing the
+-network (when fping is installed setuid root) , normal users can't specify 
+-the following:
+high value for -r) it is possible to flood the network. In order to
+stop mere mortals from hosing the network (when fping is installed
+setuid root), normal users can't specify the following:
+ .nf
+ 
+  -i n   where n < 10  msec
+diff -up fping-2.4b2_to-ipv6/fping.c.capnetraw fping-2.4b2_to-ipv6/fping.c
+--- fping-2.4b2_to-ipv6/fping.c.capnetraw	2011-09-04 15:06:08.800668963 -0400
+++ fping-2.4b2_to-ipv6/fping.c	2011-09-04 15:11:15.256781273 -0400
+@@ -410,17 +410,6 @@ int main( int argc, char **argv )
+ 	int advance;
+ 	struct protoent *proto;
+ 	char *buf;
+-	uid_t uid;
+-	/* check if we are root */
+-
+-	if( geteuid() )
+-	{
+-		fprintf( stderr,
+-			"This program can only be run by root, or it must be setuid root.\n" );
+-
+-		exit( 3 );
+-
+-	}/* IF */
+ 
+ 	/* confirm that ICMP is available on this machine */
+ #ifndef IPV6
+@@ -508,12 +497,6 @@ int main( int argc, char **argv )
+ #endif
+ #endif
+ 
+-	if( ( uid = getuid() ) )
+-	{
+-		seteuid( getuid() );
+-
+-	}/* IF */
+-
+ 	prog = argv[0];
+ 	ident = getpid() & 0xFFFF;
+ 
--- a/fping.spec
+++ b/fping.spec
@ -1,6 +1,12 @@
+%if 0%{?fedora} < 15
+%global use_capnetraw 0
+%else
+%global use_capnetraw 1
+%endif
+
 Name: fping
 Version: 2.4b2
-Release: 11%{?dist}
+Release: 12%{?dist}
 Summary: Scriptable, parallelized ping-like utility
 Group: Applications/Internet
 License: BSD with advertising
@ -9,6 +15,7 @@ URL: http://www.fping.com/
 # Source0: http://www.fping.com/download/%{name}-%{version}_to-ipv6.tar.gz
 Source0: %{name}-%{version}_to-ipv6.tar.gz
 Patch0: fping-2.4b2_ipv6-fix.diff
+Patch1: fping-2.4b2_to-ipv6-capnetraw.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 %description
@ -20,14 +27,17 @@ use in scripting in mind.
 %prep
 %setup -q -n %{name}-%{version}_to-ipv6
 %patch0 -p1 -b .ipv6
+%if 0%{?use_capnetraw}
+%patch1 -p1 -b .capnetraw
+%endif

 %build
 %configure
-make CFLAGS="-DIPV6 $RPM_OPT_FLAGS"
+make CFLAGS="-DIPV6 %{?use_capnetraw:-DENABLE_F_OPTION} $RPM_OPT_FLAGS"
 mv fping fping6

 make clean
-make CFLAGS="$RPM_OPT_FLAGS"
+make CFLAGS="%{?use_capnetraw:-DENABLE_F_OPTION} $RPM_OPT_FLAGS"

 %install
 rm -rf $RPM_BUILD_ROOT
@ -40,11 +50,21 @@ rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root,-)
 %doc ChangeLog COPYING README
-%attr(4755,root,root) %{_sbindir}/fping
-%attr(4755,root,root) %{_sbindir}/fping6
+%if 0%{?use_capnetraw}
+%attr(0755,root,root) %caps(cap_net_raw=ep) %{_sbindir}/fping
+%attr(0755,root,root) %caps(cap_net_raw=ep) %{_sbindir}/fping6
+%else
+%attr(4711,root,root) %{_sbindir}/fping
+%attr(4711,root,root) %{_sbindir}/fping6
+%endif
 %{_mandir}/man8/*

 %changelog
+* Sun Sep 04 2011 Charles R. Anderson <cra@wpi.edu> - 2.4b2-12
+- remove SUID and add CAP_NET_RAW instead on Fedora 15 and newer (rhbz#646466)
+- allow -f option for non-root on Fedora 15 and newer
+- remove read permissions on binaries for Fedora 14 and older
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4b2-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild