Date: Sun, 24 Mar 2024 07:48:35 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: freebsd-hackers@freebsd.org, Tom Forbes <tom@tomforb.es> Subject: =?US-ASCII?Q?Re=3A_Removing_or_changing_the_ping_in?= =?US-ASCII?Q?terval_restriction_for_non-root_users?= Message-ID: <2D5DD001-DD98-4A8E-9458-6754E6D977EE@cschubert.com> In-Reply-To: <954e1d80-d44f-4c3d-88a7-122dc0f25de4@app.fastmail.com> References: <954e1d80-d44f-4c3d-88a7-122dc0f25de4@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On March 24, 2024 5:57:01 AM PDT, Tom Forbes <tom@tomforb.es> wrote: >Hello, >I maintain a small project called gping[1] that recently added support for FreeBSD. One of the issues I ran into with running this on FreeBSD was that the `ping` command seems to disallow intervals of less than 1 second if you are not running as root[2]. This check was last touched 23 years ago and I'm curious as to why this restriction exists? I assume it's from an earlier time in the internets history, and perhaps is related to potential misuse of the command to flood targets with packets via ping? > >If it is then I'd like to suggest that this limitation be removed or is reduced to `0.1` seconds instead? Using `ping` for this kind of thing isn't a viable attack today, and the 1 second limitation seems like it would get in the way of useful uses of the ping command. > >Also this is my first post to any *BSD mailing list, so please let me know if this is not the right place to ask this question or propose this! > >Thanks, >Tom > >1. https://github.com/orf/gping >2. https://github.com/freebsd/freebsd-src/blame/8a56ef8d75b42ee7228247466c8c1712de6e3b6f/sbin/ping/ping6.c#L441 Other UNIX-like systems have the same restriction. At $JOB we use Solaris and various Linux systems. All maintain the same restriction. Other BSDs are the same.I don't think FreeBSD should be an outlier. Maybe setgid bit or a capability to remove the restriction may be a better solution. But to reduce the timeout to essentially remove it is IMO unwise. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0 Pardon the typos. Small keyboard in use.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2D5DD001-DD98-4A8E-9458-6754E6D977EE>