Recent

Author Topic: [tech tip] TIdIcmpClient on Linux  (Read 1679 times)

libaudf

  • Newbie
  • Posts: 4
    • Frédéric Libaud, Expert en Numérique
[tech tip] TIdIcmpClient on Linux
« on: May 28, 2024, 09:17:47 am »
Hi
For those who develop with Linux as a target for example. If you use Indy components and especially TIdIcmpClient. It is common knowledge that it does not work.
And for good reason, the security features have greatly evolved in recent years. As for other OS (Windows, Mac...) moreover.
In fact, the concern that is not one, is that you must assign a "capabilities" to your binary. So that TIdIcmpClient can work properly. I refer you to the documentation and other tutorials available on the web for more details.
However, two commands to be aware of:
- getcap: to obtain the capabilities of a file or binary;
- setcap: to assign capabilities to a file or binary.
Like the ping binary, yours will have to have the cap_net_raw "capabilities".
You will need to root setcap 'cap_net_raw+ep' [mybinary]. [mybinary] representing the full path to the executable.
This will allow you to operate TIdIcmClient properly.
Frédéric Libaud, Digital Expert

Europe, France, Pays-de-Loire, Loire-Atlantique

http://www.libaudfrederic.fr

MarkMLl

  • Hero Member
  • *****
  • Posts: 7443
Re: [tech tip] TIdIcmpClient on Linux
« Reply #1 on: May 28, 2024, 05:50:39 pm »
Yes, I refer to POSIX capabilities on a fairly regular basis but just about everybody around here appears happy with setuid root etc.

In fact at one point I contributed a patch to the IDE which allowed the capabilities of a binary to be set, but it got brushed under the carpet.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1397
    • Lebeau Software
Re: [tech tip] TIdIcmpClient on Linux
« Reply #2 on: May 28, 2024, 08:29:59 pm »
I wonder if this would be mitigated if https://github.com/IndySockets/Indy/issues/122 were implemented?
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

MarkMLl

  • Hero Member
  • *****
  • Posts: 7443
Re: [tech tip] TIdIcmpClient on Linux
« Reply #3 on: May 29, 2024, 08:30:16 am »
I wonder if this would be mitigated if https://github.com/IndySockets/Indy/issues/122 were implemented?

IIRC, That would be a old-fashioned ping that assumed the availabiilty of a random unused UDP port as an endpoint, rather than ICMP per se. It might also be unable to do a broadcast ping, which (again IIRC) required elevated privilege.

I can't speak for other distreaux, but on Debian ping uses POSIX capabilities these days (it used to be setuid root):

Code: [Select]
# getcap `which ping`
/usr/bin/ping cap_net_raw=ep

However there's the added problem that as soon as a program that's been blessed with elevated capabilities is copied or moved (i.e. during installation) it loses the capabilities: an obvious precaution, but awkward.

In addition, while it's possible to bless an IDE so that it can set capabilities without needing an explicit password that also allows it to set the capability-to-set-any-capability: that's an obvious security no-no which can only be fixed by the kernel developers.

So, using a UDP-based ping might be the most practical solution, but isn't quite the same thing.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

af0815

  • Hero Member
  • *****
  • Posts: 1354
Re: [tech tip] TIdIcmpClient on Linux
« Reply #4 on: May 29, 2024, 09:10:08 am »
Actual i am not so good in using Linux, but is it possible to create a 'special' group with the needed evelates rigths for using ICMP ?!

If the IDE can set capabilities, it will be not working for enviroments like mine. I have to work under Windows, make a crosscompile to Linux (and RaspBian) and transfer the files with scp to the target. After this i have to set the capabilities every time i have tranfered a new version.
regards
Andreas

MarkMLl

  • Hero Member
  • *****
  • Posts: 7443
Re: [tech tip] TIdIcmpClient on Linux
« Reply #5 on: May 29, 2024, 09:34:27 am »
Actual i am not so good in using Linux, but is it possible to create a 'special' group with the needed evelates rigths for using ICMP ?!

I don't believe so, the POSIX capabilities are much finer-grained than the traditional user/group ownership model. Reverting to something that was user/group based would be much the same as the traditional setuid root, and the last time I looked GTK refused to run anything treated like that.

If the IDE can set capabilities, it will be not working for enviroments like mine. I have to work under Windows, make a crosscompile to Linux (and RaspBian) and transfer the files with scp to the target. After this i have to set the capabilities every time i have tranfered a new version.

In terms of the final installation stage, they don't really work for anybody. However because they allow just about every security/robustness precaution to be bypassed there's really no alternative to restricting them to whoever has responsibility for the local system... certainly until Linux has some sort of proper code signing.

There's things like Selinux which do- AIUI- have some level of sensitivity to where the binary is running from, but again there really should be some proper signing so that a binary can be traced end-to-end.

MarkMLl
l
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Logitech, TopSpeed & FTL Modula-2 on bare metal (Z80, '286 protected mode).
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

 

TinyPortal © 2005-2018