Synapse: how to use its PING feature without needing root rights (Linux)?

[Hartmut]

Thanks a lot to rvk and Jurassic Pork for your help.

what kind of target hartmut want to check ?

For the long run I would like to have a common general PING feature, because I guess I can use this in several projects.

In my current project I want to create a common test function (for various projects) to check, if internet is available, to be able, to write a dedicated error message in my programs, if not.

For this I wanted to use above PING feature to check 1) for some common IP-adresses (e.g. 37.97.187.115 - because they don't need a working DNS-Server) and 2) after that check some common websites (e.g. lazarus.freepascal.org) to check for a working DNS-Server too.

I tested the demo from Jurassic Pork (many thanks for that) and on the 1st view it works.
But I tested it with 2 FTP servers and it returned "Server is unreachable", but both are available via /usr/bin/ping. In one project I want to test via "ping" for these FTP servers (e.g. before I try to connect to them).

And you used '443' as port. Is this value always to use for everything? Or are there cases, where another value must be used?
Sorry, I'm a bloody beginner to this network stuff and my knowledge about "ports" is near zero.

[rvk]

I tested the demo from Jurassic Pork (many thanks for that) and on the 1st view it works.
But I tested it with 2 FTP servers and it returned "Server is unreachable", but both are available via /usr/bin/ping. In one project I want to test via "ping" for these FTP servers (e.g. before I try to connect to them).

And you used '443' as port. Is this value always to use for everything? Or are there cases, where another value must be used?
Sorry, I'm a bloody beginner to this network stuff and my knowledge about "ports" is near zero.

FTP is on another port.
HTTP is on 80
HTTPS is on 443
FTP is normally on 21 (control) and 20 (data)

So yes, if you used 443 for the ftp server it probably would fail (unless there is also a webserver on the same address).

[Jurassic Pork]

if you are on a linux Gnome environment, you can use the ports scanner of the gnome-nettool to see all the opened tcp ports of a server.

[Hartmut]

HTTP is on 80
HTTPS is on 443
FTP is normally on 21 (control) and 20 (data)

Thanks, that helped. With port 21 I could reach my 2 FTP servers.

if you are on a linux Gnome environment, you can use the ports scanner of the gnome-nettool to see all the opened tcp ports of a server.

Although I'm on KDE-Plasma Desktop I could install the gnome-nettool. For me as a beginner it is a great tool for investigation without having to fight with many unknown command line parameters. Thanks a lot.

I'm still hoping to get an answer from Thausand (or someone else) regarding what he wrote:

If want ping no root then have use capability (setcap). Always you can make group that have raw socket capability but normal is have grant program raw socket capability.

Does that mean:
 - I can create a new group and give it "raw socket capability" (how to do this?)
 - then I add the current user to this group
 - after this, all programs which are started by the current user, do not need sudo any longer to use the PING feature of Synapse?
This would be a great solution!
Did you mean this?

[MarkMLl]

- I can create a new group and give it "raw socket capability" (how to do this?)
 - then I add the current user to this group
 - after this, all programs which are started by the current user, do not need sudo any longer to use the PING feature of Synapse?

I believe that's wrong. Capabilities are an attribute of a specific program, and for security reasons are lost if e.g. the program is copied from one place to another.

Ages ago I uploaded a Lazarus patch to Mantis which allowed the "run after" command to be given root privilege specifically to do this. I haven't a clue how to find it in the new bugtracker.

MarkMLl

[Hartmut]

Ages ago I uploaded a Lazarus patch to Mantis which allowed the "run after" command to be given root privilege specifically to do this. I haven't a clue how to find it in the new bugtracker.

I think I found it in https://gitlab.com/freepascal.org/lazarus/lazarus/-/issues/38608
It's still open.

[MarkMLl]

Ages ago I uploaded a Lazarus patch to Mantis which allowed the "run after" command to be given root privilege specifically to do this. I haven't a clue how to find it in the new bugtracker.

I think I found it in https://gitlab.com/freepascal.org/lazarus/lazarus/-/issues/38608
It's still open.

Yes, that looks right. It works (at least through Lazarus v2), and relies on whatever the current desktop environment is using to get at sudo. IIRC the maintainers didn't like it since it wasn't portable to Windows...

However there's a problem here. It would be desirable if the IDE itself had the capability to set capabilities without needing to get authorisation via sudo. There's a capability which allows that, but since it can also propagate itself applying it to something like a development environment basically leaves the system wide-open.

Fixing that would mean engaging with the overall POSIX standards-setters, and I've got enough issues of my own without trying to convince them that there's a potential improvement to be made.

So, capability flags are (AIUI) set in the executable program's inode (filesystem structure), and are very much not saved if it's archived or moved: if you want a binary which can e.g. listen to a low-numbered socket or generate pings (ICMP echo requests) then it's necessary to bless it every time.

MarkMLl

[Hartmut]

It would be desirable if the IDE itself had the capability to set capabilities without needing to get authorisation via sudo. There's a capability which allows that, but since it can also propagate itself applying it to something like a development environment basically leaves the system wide-open.

Can you explain that capability please? Maybe it would be useful for my personal use.

[MarkMLl]

It would be desirable if the IDE itself had the capability to set capabilities without needing to get authorisation via sudo. There's a capability which allows that, but since it can also propagate itself applying it to something like a development environment basically leaves the system wide-open.

Can you explain that capability please? Maybe it would be useful for my personal use.

I suggest  man 7 capabilities  to start with, but also see https://forum.lazarus.freepascal.org/index.php/topic,47970.msg345641.html#msg345641 for examples.

Basically "POSIX Capabilities" (as a specific term) allow a binary to be "blessed" with most if not all of the abilities that it would have if it were being run by the root user (i.e.  setuid root  etc.). However this is fairly fine-grained, so you can give the binary permission to e.g. listen on UDP port 79 without also giving the user running it to manipulate /bin and (in general) other privileged storage areas.

So I've got one specific program which does a lot of monitoring of the "next hop" router, the DNS server and so on, which is blessed using something like:

Code: Text  [Select][+][-]

1. #!/bin/sh
2.  
3. sudo -A -n -k setcap CAP_DAC_OVERRIDE,CAP_NET_BIND_SERVICE,CAP_NET_RAW=p+e  WatchP0x-x86_64-linux-gtk2
4.  

and can be inspected:

Code: [Select]

/usr/local/bin$ sudo getcap *
WatchP0x-x86_64-linux-gtk2 cap_dac_override,cap_net_bind_service,cap_net_raw=ep

Working from memory, that leaves the binary in the state where it can both benefit from and control e.g. cap_net_raw. However it is good practice to relinquish the capability as soon as it is no longer needed, so that if somebody were able to take control of the program by e.g. a buffer overflow he'd not be able to wereak havoc:

Code: Pascal  [Select][+][-]

1. (* Relinquish the capabilities which allowed a non-root user to create a socket
2.   in /var/run or with a port number < 1024.
3. *)
4. procedure RelinquishCapabilities;
5.  
6. var
7.   cap: boolean;
8.  
9. begin
10.  
11. (* When not running as root, relinquish any capabilities we've been granted.    *)
12. (* Even if running as root do this silently, to allow for the case where a      *)
13. (* capability has been explicitly added. Note that I'm avoiding "permissions"   *)
14. (* etc. here as ambiguous, I don't think there's any need to translate          *)
15. (* "capability" etc. in this context.                                           *)
16.  
17. (* WARNING: visibility of capabilities might be modified if running under the   *)
18. (* control of the debugger. Always test outside the debugger before jumping to  *)
19. (* any conclusions.                                                             *)
20.  
21.   if (FpGetgid <> 0) or (FpGetuid <> 0) then begin      (* Give up capability   *)
22. ...
23.     if GetCapability(cap, CAP_NET_RAW) then
24.       if cap then begin
25.         Write(StdErr, 'Relinquishing NET_RAW capability... ');
26.         if SetCapability(false, CAP_NET_RAW) then
27.           WriteLn(StdErr, 'OK')
28.         else
29.           WriteLn(StdErr, 'failed')
30.       end else begin end;
31.     if GetCapability(cap, CAP_NET_RAW, CAP_PERMITTED) then
32.       if cap then begin
33.         Write(StdErr, 'Relinquishing NET_RAW permittivity... ');
34.         if SetCapability(false, CAP_NET_RAW, CAP_PERMITTED) then
35.           WriteLn(StdErr, 'OK')
36.         else
37.           WriteLn(StdErr, 'failed')
38.       end else begin end
39.   end else begin
40. ...
41.     SetCapability(false, CAP_NET_RAW);
42.     SetCapability(false, CAP_NET_RAW, CAP_PERMITTED)
43.   end
44. end { RelinquishCapabilities } ;
45.  

And so on.

MarkMLl

[Hartmut]

Thank you MarkMLl for your reply. I have great difficulties to understand what you mean. All this stuff about capabilities is completely new to me. And you "use" / premise a lot of things I don't know. And my English is not the best.

Did I guess this correctly:
 - you make or have a copy of 'setcap' which is named 'setcap2'
 - then only once you need sudo to give the capability 'CAP_SETFCAP' to 'setcap2' via "sudo setcap CAP_SETFCAP=p+e ./setcap2"
 - after that you can use 'setcap2' to set any wanted capability (e.g. 'cap_net_raw') to any executable, but without needing sudo for that
Is this correct?

[MarkMLl]

Thank you MarkMLl for your reply. I have great difficulties to understand what you mean. All this stuff about capabilities is completely new to me. And you "use" / premise a lot of things I don't know. And my English is not the best.

Did I guess this correctly:
 - you make or have a copy of 'setcap' which is named 'setcap2'
 - then only once you need sudo to give the capability 'CAP_SETFCAP' to 'setcap2' via "sudo setcap CAP_SETFCAP=p+e ./setcap2"
 - after that you can use 'setcap2' to set any wanted capability (e.g. 'cap_net_raw') to any executable, but without needing sudo for that
Is this correct?

Yes, but that was purely a proof-of-concept when I was investigating what the IDE could potentially do: I strongly advise you to not try abusing Linux's robustness in that way.

MarkMLl

[Hartmut]

Yes, but that was purely a proof-of-concept when I was investigating what the IDE could potentially do: I strongly advise you to not try abusing Linux's robustness in that way.

Thanks. I only wanted to understand what you meant. I agree that it would be dangerous.

[MarkMLl]

Thanks. I only wanted to understand what you meant. I agree that it would be dangerous.

The bottom line is that lots of things have been added to unix and Linux to prevent one from doing things that are dangerous, but this has been added to /allow/ one to do things that are dangerous: albeit in a more controlled way than  setuid root  and so on.

As a side note, Larry Wall has been criticised for using "blessed" to indicate the conversion of (in Pascal terms) a record into a class that could be instantiated, since people accuse him of trying to introduce his Christian inclinations into programming.

However, he worked for Unisys and before that (I believe) Burroughs, who at one time had a single-bit flag in the header of a program which indicated whether it was allowed to perform privileged operations. In principle, that flag could only be set by a special mc ("make compiler") utility, which was kept under lock and key by the site manager.

However, multiple groups of academics and students (including Knuth and Wirth at Stanford and Kildall at Washington) worked out that if you compiled a program (typically, an experimental compiler) to tape, then asked an inattentive operator to remount the tape as a raw medium, you could trivially set that flag, basically blowing holes in the system's security.

Hence I am very, very cautious with things like POSIX capabilities, in case they are invoked by somebody with ulterior motives.

MarkMLl

[Thausand]

...
So my guess is that it's allowed there too for unprivileged users.

Thank you very much rvk for explain.

Yes, you correct (I make test for trixie vm). First I did not understand correct (Before I think trixie more restrictive but your example tell other way around and make logic). Is now better control with trixie (but also work for bookworm).

[Thausand]

Thank you Thausand. I'm aware that I can set 'net_raw' capability to my program. But this has 2 disadvantages:
 - after each new compile (and that can be many times a day) I have to repeat that step and this step needs sudo
 - the users of my program must repeat this step after every program-update and this step needs sudo
Both makes this solution quiet uncomfortable.

Yes, that is negative drawback.

Does that mean:
 - I create a new group and give it raw socket capability
 - then I add the current user to this group
 - after this, all programs which are started by the current user, do not need sudo any longer to use the PING feature of Synapse?
This would be a great solution!
Did you mean this?

Yes, if understand correct then solution sysctl by rvk make possible and have that. Not have tested myself. If need help I need read instruction first 

With trixie you mean Debian 13 "Trixie"?

Yes, correct. Trixie = Debian 13 Trixie (then also ubuntu etc but not know distribution name for Debian 13 base ubuntu etc distribution).

Sorry for delay. MarkMLI write better English for detail explain security topic.