Welcome to the Linux Foundation Forum!

Lab 33.2. Explore the apparmor Security. /bin/ping-x works executed as ubuntu user in EC2 instance

Hello there,

After copying /bin/ping to /bing/ping-x I still can run /bin/ping-x as the ubuntu user:

  1. $ sudo cp /bin/ping /bin/ping-x
  2.  
  3. $ sudo ls -l /bin/ping-x
  4. -rwxr-xr-x 1 root root 76672 Apr 12 10:03 /bin/ping-x
  5.  
  6. $ sudo getcap /bin/ping-x
  7.  
  8. $ ping-x -c3 -4 127.0.0.1
  9. PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
  10. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.037 ms
  11. 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.023 ms
  12. 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.027 ms
  13.  
  14. --- 127.0.0.1 ping statistics ---
  15. 3 packets transmitted, 3 received, 0% packet loss, time 2035ms
  16. rtt min/avg/max/mdev = 0.023/0.029/0.037/0.005 ms

apparmor is loaded:

  1. $ sudo apparmor_status
  2. apparmor module is loaded.
  3.  
  4. $ systemctl status apparmor
  5. apparmor.service - Load AppArmor profiles
  6. Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
  7. Active: active (exited) since Fri 2024-04-12 09:59:51 UTC; 12min ago
  8. Docs: man:apparmor(7)
  9. https://gitlab.com/apparmor/apparmor/wikis/home/
  10. Main PID: 220 (code=exited, status=0/SUCCESS)
  11. CPU: 962ms

The ubuntu user looks like this:

  1. $ whoami
  2. ubuntu
  3.  
  4. $ groups
  5. ubuntu adm dialout cdrom floppy sudo audio dip video plugdev netdev lxd
  6.  
  7. $ sudo -l -U ubuntu
  8. Matching Defaults entries for ubuntu on ip-172-31-7-104:
  9. env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
  10.  
  11. User ubuntu may run the following commands on ip-172-31-7-104:
  12. (ALL : ALL) ALL
  13. (ALL) NOPASSWD: ALL

And my system:

  1. $ lsb_release -a
  2. No LSB modules are available.
  3. Distributor ID: Ubuntu
  4. Description: Ubuntu 22.04.4 LTS
  5. Release: 22.04
  6. Codename: jammy
  7.  
  8. $ uname -a
  9. Linux ip-172-31-7-104 6.5.0-1014-aws #14~22.04.1-Ubuntu SMP Thu Feb 15 15:27:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Probably I must be missing something :)

Thanks in advance,

Luis

ps: I must to admit that I did not try yet neither in my personal laptop nor in a VM

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 1,252

    Hi @lurodrig,

    I tried in a cloud VM as well. I also tried in a local VM, and it worked. The only difference is that I used Ubuntu 23.10. Can you try on that OS and version, please? Just to check if this would be related to a specific OS version.

    devopsn3rd@ubuntu23:~$ sudo systemctl status apparmor
    ● apparmor.service - Load AppArmor profiles
    Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; preset: enabled)
    Active: active (exited) since Wed 2024-04-17 14:30:05 UTC; 5min ago
    Docs: man:apparmor(7)
    https://gitlab.com/apparmor/apparmor/wikis/home/
    Main PID: 263 (code=exited, status=0/SUCCESS)
    CPU: 1.241s

    Apr 17 14:30:05 ubuntu systemd[1]: Starting apparmor.service - Load AppArmor profiles...
    Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Restarting AppArmor
    Apr 17 14:30:05 ubuntu apparmor.systemd[263]: Reloading AppArmor profiles
    Apr 17 14:30:05 ubuntu systemd[1]: Finished apparmor.service - Load AppArmor profiles.

    devopsn3rd@ubuntu23:~$ id
    uid=1001(devopsn3rd) gid=1002(devopsn3rd) groups=1002(devopsn3rd),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),115(netdev),116(lxd),1000(ubuntu),1001(google-sudoers)

    devopsn3rd@ubuntu23:~$ ping google.com
    PING google.com (172.217.219.101) 56(84) bytes of data.
    64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=1 ttl=115 time=1.66 ms
    64 bytes from je-in-f101.1e100.net (172.217.219.101): icmp_seq=2 ttl=115 time=1.15 ms
    ^C
    --- google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1002ms
    rtt min/avg/max/mdev = 1.145/1.402/1.659/0.257 ms

    devopsn3rd@ubuntu23:~$ ping -c 3 127.0.0.1
    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms
    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.043 ms
    ^C
    --- 127.0.0.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1010ms
    rtt min/avg/max/mdev = 0.025/0.034/0.043/0.009 ms

    devopsn3rd@ubuntu23:~$ sudo cp /bin/ping /bin/ping-x
    devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping
    /bin/ping cap_net_raw=ep

    devopsn3rd@ubuntu23:~$ sudo getcap /bin/ping-x
    devopsn3rd@ubuntu23:~$
    devopsn3rd@ubuntu23:~$ ping-x google.com
    ping-x: socktype: SOCK_RAW
    ping-x: socket: Operation not permitted
    ping-x: => missing cap_net_raw+p capability or setuid?

    devopsn3rd@ubuntu23:~$ cat /etc/os-release
    PRETTY_NAME="Ubuntu 23.10"
    NAME="Ubuntu"
    VERSION_ID="23.10"
    VERSION="23.10 (Mantic Minotaur)"
    VERSION_CODENAME=mantic
    ID=ubuntu
    ID_LIKE=debian
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    UBUNTU_CODENAME=mantic
    LOGO=ubuntu-logo

    So, it worked for me and I was unable to reproduce the issue.

    Regards,
    Luis.

  • Posts: 8

    Hello @luisviveropena

    Thank you very much for your answer and sorry for the delay in my response.

    You are right, in a fresh EC2 instance with ubuntu 24.04 it works.

    Thank you very much,

    Cheers,

    Luis

  • Posts: 1,252

    Hi @lurodrig,

    It's a pleasure! I'm glad it worked :)

    Regards,
    Luis.

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training