[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] traceroute -- permissions, setuids, etc..
|
From: |
Debarshi Ray |
|
Subject: |
[bug-inetutils] traceroute -- permissions, setuids, etc.. |
|
Date: |
Fri, 18 Apr 2008 08:59:59 +0530 |
Right now GNU traceroute needs to be installed setuid root. Here is
what a 'sudo make install' gives me:
address@hidden ~]$ ll ~/bin/traceroute
-rwsrwxr-x 1 root root 36177 2008-04-18 08:33 /home/rishi/bin/traceroute
However even then it does not work:
address@hidden ~]$ ~/bin/traceroute gnu.org
/home/rishi/bin/traceroute: insufficient permissions: Operation not permitted
Does it really need to be restricted to the root user always?
Apparently no. Removing the following lines of code enables the
current GNU traceroute to be run by a non-root user with all
combinations of its existing command line switches:
if (getuid () != 0)
error (EXIT_FAILURE, EPERM, "insufficient permissions");
eg.,
address@hidden ~]$ ~/bin/traceroute gnu.org
traceroute to gnu.org (199.232.41.10), 64 hops max
1 192.168.1.254 (192.168.1.254) 0.427ms 0.416ms 0.529ms
2 121.247.231.1 (121.247.231.1) 27.502ms 26.974ms 27.517ms
3 * * *
4 172.31.9.129 (172.31.9.129) 32.944ms 28.086ms 28.716ms
5 172.31.2.194 (172.31.2.194) 27.865ms 27.705ms 27.892ms
[...]
So shall I go ahead and remove those two lines?
Now some other traceroute flavours do it in a different way. Since I
have the flavour from http://traceroute.sourceforge.net on my
GNU/Linux system, let me use that as an example.
Firstly it does not need to be installed setuid root.
address@hidden ~]$ ll /bin/traceroute
-rwxr-xr-x 1 root root 54976 2007-10-10 23:54 /bin/traceroute
It offers various methods for tracerouting through the -M option.
-M method
Use specified method for traceroute operations. Default tradi-
tional udp method has name default, icmp (-I) and tcp (-T) have
names icmp and tcp respectively.
Some of these methods can be used by an unprivileged user, while
others are only allowed for root.
default
The traditional, ancient method of tracerouting. Used by default.
[...]
This method is allowed for unprivileged users.
icmp -I
Most usual method for now, which uses icmp echo packets for probes.
If you can ping(8) the destination host, icmp tracerouting is applica-
ble as well.
eg.,
address@hidden ~]$ /bin/traceroute -M default gnu.org
traceroute to gnu.org (199.232.41.10), 30 hops max, 40 byte packets
1 192.168.1.254 (192.168.1.254) 14.547 ms 14.581 ms 14.712 ms
[...]
address@hidden ~]$ /bin/traceroute -M icmp gnu.org
The specified type of tracerouting is allowed for superuser only
However, this one needs a Linux 2.6 kernel. Is this requirement going
to be an issue for us?
Comments?
Happy hacking,
Debarshi
--
"From what we get, we can make a living; what we give, however, makes a life."
-- Arthur Ashe
- [bug-inetutils] traceroute -- permissions, setuids, etc..,
Debarshi Ray <=
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Alfred M. Szmidt, 2008/04/18
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Debarshi Ray, 2008/04/18
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Alfred M. Szmidt, 2008/04/18
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Debarshi Ray, 2008/04/18
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Debarshi Ray, 2008/04/18
- Re: [bug-inetutils] traceroute -- permissions, setuids, etc.., Alfred M. Szmidt, 2008/04/19