File git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch of Package aaa_base.32208

From 9a1bc15517d6da56d75182338c0f1bc4518b2b75 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Fri, 31 Jul 2020 12:07:56 +0200
Subject: [PATCH] sysctl.d/50-default.conf: allow everybody to create
 IPPROTO_ICMP sockets (bsc#1174504)

This will allows us to remove capability bits from `/usr/bin/ping` and
`/usr/sbin/pfing`. Furthermore other programs like `traceroute -I` start
working for regular users.

The ping_group_range allows to further limit the group IDs that are
allowed to use these sockets. It is difficult to find a sensible
limitation on a generic level, however. Daemons might just as well want
to send out pings as interactive users. Therefore all groups are allowed
by this configuration change.

The maximum group ID seems to be (2**31)-1, contrary to what a suggested
documentation snippet says, that never made into upstream [1].

[1]: https://lkml.org/lkml/2011/5/18/305
---
 files/usr/lib/sysctl.d/50-default.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/files/usr/lib/sysctl.d/50-default.conf b/files/usr/lib/sysctl.d/50-default.conf
index 4e931ec..2ab1019 100644
--- a/files/usr/lib/sysctl.d/50-default.conf
+++ b/files/usr/lib/sysctl.d/50-default.conf
@@ -23,6 +23,14 @@ net.ipv4.conf.all.promote_secondaries = 1
 # (bsc#678066,bsc#752842,bsc#988023,bsc#990838)
 net.ipv6.conf.default.use_tempaddr = 1
 
+# allow all groups in the system to create IP sockets with
+# protocol == IPPROTO_ICMP. This makes it possible to use programs like ping
+# and fping to run without special permissions from capabilities or set*id
+# bits (bsc#1174504).
+# this only allows users to handle ICMP ECHO REQUESTs and REPLYs, nothing
+# else.
+net.ipv4.ping_group_range = "0 2147483647"
+
 # increase the number of possible inotify(7) watches
 fs.inotify.max_user_watches = 65536
 
openSUSE Build Service is sponsored by