Re: setting sysctl net.ipv4.ping_group_range

[Marco d'Itri]

On Jan 02, Noah Meyerhans <no...@debian.org> wrote:

> With that in place, unprivileged users are able to excute ping for both
> IPv4 and IPv6 targets without cap_net_raw (currently set as either a
> file-based attribute on the ping binary or acquired via setuid). But
> since that applies system-wide, not just to the ping binary, there may
> be objections.
I do not think that the submitter made clear why this would be
preferable, so I had to research it myself. See:

https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
https://github.com/systemd/systemd/pull/13141

Since this is one of the systemd sysctl defaults (of which I think that
we should adopt more, especially the network-related ones!) I agree with
changing this.
I would just do it in the systemd package package to allow all packages
to benefit from it without having to care if ping is installed.

--
ciao,
Marco

[Noah Meyerhans]

I'm entirely happy to reassign this request to systemd and have the
setting applied more broadly. The question that arises then is what to
do about the file-level capabilities on the ping binary. Ideally we
drop them entirely (including the setuid fallback), but when?

I could leave things completely decoupled, and simply wait until systemd
makes the change and then upload iputils and assume that anybody
upgrading iputils is also upgrading systemd. That seems to be what
Fedora did, according to the fedoraproject.org wiki cited above.
Alternatives would seem to involve some level of versioned dependency,
which doesn't feel right.

noah

[Marco d'Itri]

On Jan 02, Noah Meyerhans <no...@debian.org> wrote:

> I'm entirely happy to reassign this request to systemd and have the
> setting applied more broadly. The question that arises then is what to
> do about the file-level capabilities on the ping binary. Ideally we
> drop them entirely (including the setuid fallback), but when?

Some options:
- conflict with systemd < version_with_the_new_default
- wait for a full release and then just drop it
- when sysctl in postinst reports the new default
- a mix of the last two options

I suggest that you improve the ping error message to also mention the
sysctl (or maybe an appropriate writeup in README.Debian?).

--
ciao,
Marco

[Adam Borowski]

On Tue, Jan 03, 2023 at 12:43:31AM +0100, Marco d'Itri wrote:
> On Jan 02, Noah Meyerhans <no...@debian.org> wrote:
> > I'm entirely happy to reassign this request to systemd and have the
> > setting applied more broadly.

> Some options:
> - conflict with systemd < version_with_the_new_default
> - wait for a full release and then just drop it
> - when sysctl in postinst reports the new default
> - a mix of the last two options

Debian's default sysctl settings should reside in procps (as it owns
/sbin/sysctl and /etc/sysctl* settings) rather than some unrelated
package.


Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Quis trollabit ipsos trollos?
⠈⠳⣄⠀⠀⠀⠀

[Noah Meyerhans]

On Tue, Jan 03, 2023 at 01:36:30AM +0100, Adam Borowski wrote:
> > > I'm entirely happy to reassign this request to systemd and have the
> > > setting applied more broadly.
> > Some options:
> > - conflict with systemd < version_with_the_new_default
> > - wait for a full release and then just drop it
> > - when sysctl in postinst reports the new default
> > - a mix of the last two options
>
> Debian's default sysctl settings should reside in procps (as it owns
> /sbin/sysctl and /etc/sysctl* settings) rather than some unrelated
> package.

Is that documented anywhere? It's certainly not the case today:

$ for i in /usr/lib/sysctl.d/*.conf; do
dpkg -S $i
done
tracker-miner-fs: /usr/lib/sysctl.d/30-tracker.conf
bubblewrap: /usr/lib/sysctl.d/50-bubblewrap.conf
systemd-coredump: /usr/lib/sysctl.d/50-coredump.conf
systemd: /usr/lib/sysctl.d/50-pid-max.conf
procps: /usr/lib/sysctl.d/99-protect-links.conf

[Adam Borowski]

On Mon, Jan 02, 2023 at 04:43:34PM -0800, Noah Meyerhans wrote:
> > Debian's default sysctl settings should reside in procps (as it owns
> > /sbin/sysctl and /etc/sysctl* settings) rather than some unrelated
> > package.
>
> Is that documented anywhere? It's certainly not the case today:
>
> $ for i in /usr/lib/sysctl.d/*.conf; do
> dpkg -S $i
> done
> tracker-miner-fs: /usr/lib/sysctl.d/30-tracker.conf
> bubblewrap: /usr/lib/sysctl.d/50-bubblewrap.conf
> systemd-coredump: /usr/lib/sysctl.d/50-coredump.conf
> systemd: /usr/lib/sysctl.d/50-pid-max.conf
> procps: /usr/lib/sysctl.d/99-protect-links.conf

$ apt-file search /etc/sysctl
ceph-osd: /etc/sysctl.d/30-ceph-osd.conf
corekeeper: /etc/sysctl.d/corekeeper.conf
lxc: /etc/sysctl.d/30-lxc-inotify.conf
lxd: /etc/sysctl.d/10-lxd-inotify.conf
octavia-agent: /etc/sysctl.d/octavia-agent-sysctl.conf
open-infrastructure-container-tools: /etc/sysctl.d/zz-container.conf
open-infrastructure-system-images: /usr/share/system-images/container-server/config/includes.chroot/etc/sysctl.d/net.ipv4.ip_forward.conf
procps: /etc/sysctl.conf
procps: /etc/sysctl.d/README.sysctl
systemd: /etc/sysctl.d/99-sysctl.conf
tup: /etc/sysctl.d/unprivileged-clone.conf

Most settings are in /etc/sysctl.conf, especially network related ones.

That /usr/lib/sysctl.d/ path doesn't have its settings applied normally.

[Noah Meyerhans]

On Tue, Jan 03, 2023 at 01:48:29AM +0100, Adam Borowski wrote:
> Most settings are in /etc/sysctl.conf, especially network related ones.
>
> That /usr/lib/sysctl.d/ path doesn't have its settings applied normally.

systemd-sysctl is run by default and processes /usr/lib/sysctl.d/. This
is the case even on systems that don't have procps installed.

If the intent is to set sysctl values _everywhere_, then neither procps
nor systemd is the right place.

noah

[Marco d'Itri]

On Jan 03, Adam Borowski <kilo...@angband.pl> wrote:

> Debian's default sysctl settings should reside in procps (as it owns
> /sbin/sysctl and /etc/sysctl* settings) rather than some unrelated
> package.

Nowadays systemd is a source of common sysctl settings among different
distributions.

--
ciao,
Marco

[Noah Meyerhans]

On Tue, Jan 03, 2023 at 03:26:37AM +0100, Marco d'Itri wrote:
> > Debian's default sysctl settings should reside in procps (as it owns
> > /sbin/sysctl and /etc/sysctl* settings) rather than some unrelated
> > package.
> Nowadays systemd is a source of common sysctl settings among different
> distributions.

I've opened https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027773 to
request this sysctl setting be applied globally there. Will keep this
bug open against iputils-ping to track the removal of the
cap_net_raw/setuid settings when that's done.

noah

[Luca Boccassi]

Shipping 50-default.conf sounds good to me, it has sensible defaults,
and /etc/sysctl.conf(.d/*) takes precedence anyway if it contains any
local redefinition:

https://salsa.debian.org/systemd-team/systemd/-/merge_requests/187

--
Kind regards,
Luca Boccassi

[Steve Langasek]

Debian still supports other init systems in the archive besides systemd.
Should ping fail to run on a Debian system that is not using systemd?

We also recently ran into a bug with systemd in Ubuntu because the "common
sysctl settings among different distributions" that they had added clobbered
settings that had been shipped for years already in the Ubuntu procps
package. No thank you.

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1962038

What would really be a great place for shipping common sysctl settings among
different distributions would be in the Linux kernel, instead of diverging
from the kernel defaults in userspace and representing this as "common".

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slan...@ubuntu.com vor...@debian.org

[Ansgar]

On Sat, 2023-01-07 at 16:55 -0800, Steve Langasek wrote:
> On Tue, Jan 03, 2023 at 03:26:37AM +0100, Marco d'Itri wrote:
>
> > Nowadays systemd is a source of common sysctl settings among different
> > distributions.
>
> Debian still supports other init systems in the archive besides systemd.

Not really: we only support exploring and developing alternative init
systems. That doesn't mean full support and random things might not
work correctly (and that is accepted).

> Should ping fail to run on a Debian system that is not using systemd?

Why not? It's not different from other software where we allow this?

> We also recently ran into a bug with systemd in Ubuntu because the "common
> sysctl settings among different distributions" that they had added clobbered
> settings that had been shipped for years already in the Ubuntu procps
> package.  No thank you.
>
>   https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1962038
>
> What would really be a great place for shipping common sysctl settings among
> different distributions would be in the Linux kernel, instead of diverging
> from the kernel defaults in userspace and representing this as "common".

I think I read somewhere that linux upstream is not enthusiastic about
choosing more appropriate defaults and leaves that to downstream.
Diverting those is only possible in userspace as we still support using
self-built kernels (which can come from upstream) ;-)

If you want some other "common" ground, I guess it would need to be
created and adopted instead of the current one first.

Ansgar

[Michael Biebl]

On Tue, 3 Jan 2023 01:48:29 +0100 Adam Borowski <kilo...@angband.pl> wrote:

> Most settings are in /etc/sysctl.conf, especially network related ones.

Package provided default values should be shipped in /usr, local
overrides should go to /etc

> That /usr/lib/sysctl.d/ path doesn't have its settings applied normally.

That statement is wrong.

Both systemd-sysctl (systemd) and sysctl (procps) use that path.
See also man sysctl → SYSTEM FILE PRECEDENCE and
man sysctl.d → SYNOPSIS