| 1 |
On May 11, 2017 1:49:05 AM GMT+02:00, Adam Carter <adamcarter3@×××××.com> wrote: |
| 2 |
>I want to allow some fairly well trusted users the ablilty to do traces |
| 3 |
>with icmp. I can give them sudo, but how high is the risk of making |
| 4 |
>traceroute suid root? AFAIK making text editors or anything that has an |
| 5 |
>ability to run shell commands suid root is effectively giving them root |
| 6 |
>access, but other than exploiting vulnerabilities in traceroute itself, |
| 7 |
>are |
| 8 |
>there any other issues? |
| 9 |
|
| 10 |
You should be able to do this with capabilities. Presumably the |
| 11 |
capability needed is CAP_NET_RAW, therefore something like this should |
| 12 |
do the trick: |
| 13 |
|
| 14 |
setcap 'CAP_NET_RAW=+ep' `which traceroute` |
Archives