Solved [traceroute: icmp socket: Operation not permitted]

[alfa]

Hi, I am trying to restrict my FreeBSD users and only allow specific commands like traceroute,ping, arp, tcpdump etc.

I used restricted bash and limited user's PATH to programs which are I allowed. However traceroute didn't work on restricted user. So how can I allow a resctricted user to run traceroute without sudo?

$ traceroute 8.8.8.8
traceroute: icmp socket: Operation not permitted

chsh -s /usr/local/bin/rbash test

nano /home/test/.login_conf

me:\
   :path=~/programs:

cap_mkdb /home/test/.login_conf

cp /usr/sbin/traceroute /sbin/ping /usr/sbin/tcpdump /usr/sbin/arp /home/test/programs/.

 

[SirDice]

traceroute(8) needs root access (that's why it's SUID root) because it builds packets from scratch. Put the SUID bit back, set the group to something like "network users" and only allow owner and group read+execute. Remove the read and execute permissions from the 'others'. Then add the user to the aforementioned "network users" group.

 

[covacat]

traceroute/ping need the sticky bit (see chmod) / they need root for raw sockets
by copying it you have reset it
tcpdump also needs permissions on /dev/bpf

 

[SirDice]

traceroute/ping need the sticky bit

Setuid bit, not sticky(7). Sticky bit on files has no function.

 

[alfa]

traceroute/ping need the sticky bit (see chmod) / they need root for raw sockets
by copying it you have reset it
tcpdump also needs permissions on /dev/bpf

tcpdump worked with this configuration . I'd like to ask you masters is it acceptable or vulnerable ?

chown -R test:consolers /dev/bpf
chmod 0550 /dev/bpf

$ ls -la /dev/bpf
cr-xr-x---  1 test  consolers  0x1c Oct 10 16:36 /dev/bpf
test@alfa:/root $ tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.80.2 > 1.1.1.2: ICMP echo request, id 31307, seq 14194, length 9

 

[SirDice]

Permissions in /dev will get reset after a reboot. It's a virtual filesystem, not a real one. So you will have to do some devfs.conf magic in order for those permissions to survive a reboot. tcpdump(1) could work without root access but you won't be able to put the interface(s) in promiscuous mode.

 

[alfa]

Permissions in /dev will get reset after a reboot. It's a virtual filesystem, not a real one. So you will have to do some devfs.conf magic in order for those permissions to survive a reboot. tcpdump(1) could work without root access but you won't be able to put the interface(s) in promiscuous mode.

Ok i configured devfs.conf and tcpdump worked on restricted users.

/etc/devfs.conf

#
# Examples:

# Commonly used by many ports
#link   cd0     cdrom
#link   cd0     dvd

# Allow a user in the wheel group to query the smb0 device
#perm   smb0    0660

# Allow members of group operator to cat things to the speaker
#own    speaker root:operator
#perm   speaker 0660

own     bpf     test:consolers
perm    bpf     0550


##
service devfs restart