Milen Rangelov wrote:
> The sing utility (Send Nasty ICMP Garbage) is a ping replacement that
> allows sending ICMP packets with spoofed source and custom ICMP
> types/codes (http://sourceforge.net/projects/sing).
>
> The debian package provides sing as a suid binary (actually,
> the sid distribution asks the user whether he'd like it installed suid,
> I'm not 100% sure, but in etch, it installs it suid, anyway, should
> check).
Thanks for bringing this to our attention.
However, above statement is not correct. Both the sing packages in
Debian oldstable (Sarge) and Debian stable (Etch) do not provide a setuid
root binary by default. The override status is handled by debconf and
defaults to no:
| For 'sing' to work for non-root users, it needs to be suid.
|
| Please keep in mind that making 'sing' suid, allows non-root users to
| send spoofed ICMP messages from your machine.
|
| If you don't know what that means, refuse to make it suid here, and
| run 'sing' only as root.
> The sing utility (Send Nasty ICMP Garbage) is a ping replacement that
> allows sending ICMP packets with spoofed source and custom ICMP
> types/codes (http://sourceforge.net/projects/sing).
>
> The debian package provides sing as a suid binary (actually,
> the sid distribution asks the user whether he'd like it installed suid,
> I'm not 100% sure, but in etch, it installs it suid, anyway, should
> check).
Thanks for bringing this to our attention.
However, above statement is not correct. Both the sing packages in
Debian oldstable (Sarge) and Debian stable (Etch) do not provide a setuid
root binary by default. The override status is handled by debconf and
defaults to no:
| For 'sing' to work for non-root users, it needs to be suid.
|
| Please keep in mind that making 'sing' suid, allows non-root users to
| send spoofed ICMP messages from your machine.
|
| If you don't know what that means, refuse to make it suid here, and
| run 'sing' only as root.
Cheers,
Moritz
[ reply ]