[gnome-network] Bug#458723: gnome-nettool: traceroute broken for normal user, bad error message

From: Simon Paillard <simon paillard resel enst-bretagne fr>
To: Sven Arvidsson <sa whiz se>, 458723 bugs debian org
Subject: [gnome-network] Bug#458723: gnome-nettool: traceroute broken for normal user, bad error message
Date: Sat, 27 Feb 2010 19:45:25 +0100

retitle 458723 traceroute provides tcptraceroute alternative while not setuid root
reassign 458723 traceroute
affects 458723 gnome-nettool
found 458723 2.0.13-4
thanks

On Tue, Apr 29, 2008 at 11:20:43PM +0200, Sven Arvidsson wrote:
> On Wed, 2008-01-02 at 14:00 +0100, Ralph Aichinger wrote:
> > When I start gnome-nettool as a normal user, and try to use the
> > traceroute tab, the following happens: Trace button turns red,
> > status bar looks as if the program does something, and then nothing.
> > No error message whatsoever.
> > 
> > Only when I start gnome-nettool from a terminal I get the following
> > message in the terminal:
> > 
> > The specified type of tracerouting is allowed for superuser only
> > 
> > Most users using gnome-nettool will not start it from the terminal
> > and will therefore be confused.
> > 
> > *And* there are ways of tracerouting that normal users are allowed
> > to do. Why are these not used?
> 
> The error message actually comes from tcptraceroute.
> 
> gnome-nettool can use either tcptraceroute or traceroute, but prefers
> the first one.

When tcptraceroute is installed, everything works fine as the binary is
setuid (as mentionned by
https://bugzilla.gnome.org/show_bug.cgi?id=582848#c1 ).

However, when tcptraceroute is *not* installed, traceroute provides a
tcptraceroute alternative, with different features and interface.

lrwxrwxrwx 1 root root   25 fév 27 19:28 /etc/alternatives/tcptraceroute -> /usr/bin/tcptraceroute.db
lrwxrwxrwx 1 root root   31 fév 22  2009 /usr/bin/tcptraceroute -> /etc/alternatives/tcptraceroute
-rwxr-xr-x 1 root root 1476 jun 20  2008 /usr/bin/tcptraceroute.db

dpkg -S /usr/bin/tcptraceroute.db
traceroute: /usr/bin/tcptraceroute.db

But this shell wrapper use -T option to use TCP SYN for probes (opts="-T"),
while traceroute binary is *not* setuid.
-rwxr-xr-x 1 root root  41008 jun 20  2008 /usr/bin/traceroute.db

As a consequence, without tcptraceroute package, we get:
/usr/bin/tcptraceroute -q 2 -m 40 194.109.137.218
The specified type of tracerouting is allowed for superuser only

For consistency, I'd vote for setting traceroute setuid (2nd option: stop
providing tcptraceroute alternative with traceroute). 


-- 
Simon Paillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]