ICMP sockets

The Openwall Linux developers have an interesting problem: they have managed to create a distribution which is entirely free of setuid-root binaries, with one exception: ping still needs to be setuid root to be able to send ICMP echo packets. That seems a little untidy, so the project put together a patch which allows ping to run as an unprivileged user. It implements a new type of socket protocol (IPPROTO_ICMP) which, despite its name, is not usable for ICMP communications in general. The only type of message which is allowed through is ICMP_ECHO (and the associated replies).

Interestingly, this patch has been trimmed down from the version which is applied to Openwall kernels. In the full version, the ability to create ICMP sockets is restricted to a specific group, which can be set by way of a sysctl knob. The ping binary is then installed setgid. In this way, full access to ICMP sockets is not given to unprivileged users, while ping only gets enough privilege to create such sockets. The group check was removed from the posted patch to make acceptance easier, but it seems likely to be added back before the next posting.

For more information about the thinking behind this design, see this message from Solar Designer.

---

(Log in to post comments)