1 |
On May 11, 2017 1:49:05 AM GMT+02:00, Adam Carter <adamcarter3@×××××.com> wrote: |
2 |
>I want to allow some fairly well trusted users the ablilty to do traces |
3 |
>with icmp. I can give them sudo, but how high is the risk of making |
4 |
>traceroute suid root? AFAIK making text editors or anything that has an |
5 |
>ability to run shell commands suid root is effectively giving them root |
6 |
>access, but other than exploiting vulnerabilities in traceroute itself, |
7 |
>are |
8 |
>there any other issues? |
9 |
|
10 |
You should be able to do this with capabilities. Presumably the |
11 |
capability needed is CAP_NET_RAW, therefore something like this should |
12 |
do the trick: |
13 |
|
14 |
setcap 'CAP_NET_RAW=+ep' `which traceroute` |