Welcome to the Linux Foundation Forum!

Lab 33.2. Explore the apparmor Security. /bin/ping-x works executed as ubuntu user in EC2 instance

Options

Hello there,

After copying /bin/ping to /bing/ping-x I still can run /bin/ping-x as the ubuntu user:

$ sudo cp /bin/ping /bin/ping-x

$ sudo ls -l /bin/ping-x 
-rwxr-xr-x 1 root root 76672 Apr 12 10:03 /bin/ping-x

$ sudo getcap /bin/ping-x

$ ping-x -c3 -4 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2035ms
rtt min/avg/max/mdev = 0.023/0.029/0.037/0.005 ms

apparmor is loaded:

$ sudo apparmor_status 
apparmor module is loaded.

$ systemctl status apparmor
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Fri 2024-04-12 09:59:51 UTC; 12min ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 220 (code=exited, status=0/SUCCESS)
        CPU: 962ms

The ubuntu user looks like this:

$ whoami
ubuntu

$ groups
ubuntu adm dialout cdrom floppy sudo audio dip video plugdev netdev lxd

$ sudo -l -U ubuntu
Matching Defaults entries for ubuntu on ip-172-31-7-104:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User ubuntu may run the following commands on ip-172-31-7-104:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

And my system:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:    22.04
Codename:   jammy

$ uname -a
Linux ip-172-31-7-104 6.5.0-1014-aws #14~22.04.1-Ubuntu SMP Thu Feb 15 15:27:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Probably I must be missing something :)

Thanks in advance,

Luis

ps: I must to admit that I did not try yet neither in my personal laptop nor in a VM

Comments

  • luisviveropena
    luisviveropena Posts: 1,171
    Options

    Hi @lurodrig,

    I tried in a cloud VM as well. I also tried in a local VM, and it worked. The only difference is that I used Ubuntu 23.10. Can you try on that OS and version, please? Just to check if this would be related to a specific OS version.

    devopsn3rd@ubuntu23:~$ sudo systemctl status apparmor
    ● apparmor.service - Load AppArmor profiles
    Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
    Active: active (exited) since Wed 2024-04-17 14:30:05 UTC; 5min ago
    Docs: man:apparmor(7)
    https://gitlab.com/apparmor/apparmor/wikis/home/
    Main PID: 263 (code=exited, status=0/SUCCESS)
    CPU: 1.241s

    Apr 17 14:30:05 ubuntu systemd[1]: Starting apparmor.service - Load AppArmor profiles...
    Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Restarting AppArmor
    Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Reloading AppArmor profiles
    Apr 17 14:30:05 ubuntu systemd[1]: Finished apparmor.service - Load AppArmor profiles.

    devopsn3rd@ubuntu23:~$ id
    uid=1001(devopsn3rd) gid=1002(devopsn3rd) groups=1002(devopsn3rd),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),115(netdev),116(lxd),1000(ubuntu),1001(google-sudoers)

    devopsn3rd@ubuntu23:~$ ping google.com
    PING google.com (172.217.219.101) 56(84) bytes of data.
    64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=1 ttl=115 time=1.66 ms
    64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=2 ttl=115 time=1.15 ms
    ^C
    --- google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 1.145/1.402/1.659/0.257 ms

    devopsn3rd@ubuntu23:~$ ping -c 3 127.0.0.1
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms
    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms
    ^C
    --- 127.0.0.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1010ms
    rtt min/avg/max/mdev = 0.025/0.034/0.043/0.009 ms

    devopsn3rd@ubuntu23:~$ sudo cp /bin/ping /bin/ping-x
    devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping
    /bin/ping cap_net_raw=ep

    devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping-x
    devopsn3rd@ubuntu23:~$
    devopsn3rd@ubuntu23:~$ ping-x google.com
    ping-x: socktype: SOCK_RAW
    ping-x: socket: Operation not permitted
    ping-x: => missing cap_net_raw+p capability or setuid?

    devopsn3rd@ubuntu23:~$ cat /etc/os-release
    PRETTY_NAME="Ubuntu 23.10"
    NAME="Ubuntu"
    VERSION_ID="23.10"
    VERSION="23.10 (Mantic Minotaur)"
    VERSION_CODENAME=mantic
    ID=ubuntu
    ID_LIKE=debian
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    UBUNTU_CODENAME=mantic
    LOGO=ubuntu-logo

    So, it worked for me and I was unable to reproduce the issue.

    Regards,
    Luis.

  • lurodrig
    lurodrig Posts: 2
    Options

    Hello @luisviveropena

    Thank you very much for your answer and sorry for the delay in my response.

    You are right, in a fresh EC2 instance with ubuntu 24.04 it works.

    Thank you very much,

    Cheers,

    Luis

  • luisviveropena
    luisviveropena Posts: 1,171
    Options

    Hi @lurodrig,

    It's a pleasure! I'm glad it worked :)

    Regards,
    Luis.

Categories

Upcoming Training