/usr/bin/ping does not need a SUID bit if appropriate capabilities are set

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/iputils b/lfs/iputils
index b1e2e221628b4821d3579d124119e926a199dcb7..ae692df7ad87f31b2915657614bf4b6982e3196e 100644 (file)
--- a/lfs/iputils
+++ b/lfs/iputils
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -71,9 +71,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        cd $(DIR_APP) && make ping tracepath
-       cd $(DIR_APP) && install -m 4755 ping /usr/bin
+       cd $(DIR_APP) && install -m 0755 ping /usr/bin
        cd $(DIR_APP) && install -m 0755 tracepath /usr/bin
 
+       # Allow execution of /usr/bin/ping by other users than "root"
+       setcap cap_net_raw+ep /usr/bin/ping
+
        # Some scripts expect ping in /bin/ping.
        ln -svf ../usr/bin/ping /bin/ping