
Debugging why ping was Broken in Docker Images - plausibility
https://www.cyphar.com/blog/post/docker-broken-ping
======
simoncion
> Most people agree that the Unix privilege model is a hold-over from an older
> time. Concepts like “binding to a lower port requires root” are warts of the
> original design of Unix.

...no. Privileged ports are a way to prevent an unprivileged user from turning
a service crash into a service _takeover_.

Windows Firewall _seems_ to _sort of_ mitigate this by only permitting a given
program to communicate on a port, but -from what my testing revealed- it does
_not_ prevent _other_ programs from _binding_ to that port. So, I strongly
suspect that on Windows systems, an unprivileged user can turn a service crash
into a service DoS by racing to bind to the service's port.

~~~
parenthephobia
> ...no. Privileged ports are a way to prevent an unprivileged user from
> turning a service crash into a service takeover.

Whilst privileged ports are indeed used for that purpose, that doesn't mean
they aren't a wart.

There's no necessary technical reason why unprivileged users can't bind to
port 80, except that the designers of the network API decided to equate
successfully binding to a port with having permission to receive connection
requests for that port.

This leads to unpleasant situations like a web server having to run as root,
even if (usually) only temporarily, solely because it needs to bind port 80.

This makes less sense _especially_ with Docker, since even if a containerized
web server binds to port 80, it won't receive connections from the outside
world unless the container is configured to forward the "real" port 80 to it.

~~~
mh-
_This leads to unpleasant situations like a web server having to run as root,
even if (usually) only temporarily, solely because it needs to bind port 80._

not on modern linux. see CAP_NET_BIND_SERVICE in `man 7 capabilities`.

------
0x0
I see this all the time when dist-upgrading a root-on-NFS debian machine;
there's always an error message about how setcap'ing the ping binary fails and
then it falls back to setting the suid bit.

------
justincormack
Oh no thats not all... Linux also has had a way to allow non root users to do
ping, using `socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP)`, which would get
around the whole suid/capabilities approach to ping. That was the whole reason
why it was introduced, and it can just do ICMP not generic raw sockets like
CAP_NET_RAW (which lets you spoof any traffic), and avoids suid root binaries.
Unfortunately you have to explicitly enable it (and there was at least one
security issue in that implementation too), with net.ipv4.ping_group_range (or
ipv6).

~~~
cyphar
I didn't know that. But I guess the reason why it's not just implemented that
way by default is so it can be easily ported (even if all kernels supported
it, relying on the kernel implementation of ICMP packets might cause
inconsistencies you wouldn't see in raw sockets).

~~~
justincormack
It is the same interface, and I believe all the implementations are compatible
with it, it just filters the types of raw packets you are allowed to create.

------
pilif
_> One of these historical warts is that the creation of raw sockets, which is
how ping sends ICMP packets, requires root._

It's a good thing raw sockets require root. Raw sockets are incredibly
powerful tools that can be used for all sorts of mischief (including source
address spoofing in case of udp, so perfect for various dos attacks)

It's a feature if some clueless user that just downloaded some Trojan flash
player update can't fire off a DNS reflection attack against a third party

~~~
Maxious
> In May 2001, a well-known CEO of a security and consulting company, Steve
> Gibson, released the Raw Socket's warning. According to his Web site, Raw
> Sockets was a "seriously dumb idea...from Microsoft" that "...spells
> catastrophe for the integrity of the Internet."

[http://www.informit.com/articles/article.aspx?p=27289](http://www.informit.com/articles/article.aspx?p=27289)

