diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2023-12-11 10:53:19 +0100 |
---|---|---|
committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2023-12-11 19:48:20 +0000 |
commit | 63e75c9b491fc9e04e4a9911936be5a1dd985383 (patch) | |
tree | 39e5f4e44e2b6b8d4283456450f3c370bd49ee13 /nixos/modules | |
parent | 95a4ba9f631b3f99ca393f3967856ea9ffdb9bbe (diff) |
nixos/networking-interfaces: fix rootless ping
In 759ec111 the ping setuid wrapper was removed in favour of giving permissions to perform ICMP echo requests to all users. The problem is that the systemd file that was supposed to change the `net.ipv4.ping_group_range` sysctl is not always installed, specifically only if systemd.coredump.enable. In that case the range is "0 1", which is effectively restricts ping to only root. This change explicitely sets the range to "0 2^31-1", as systemd does. (cherry picked from commit cdc24ab40989d45fab2779d9df243aba5f3cfe3c)
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index 298add13437a0..53ffaa028038d 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1396,6 +1396,8 @@ in "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces); "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6); "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6); + # allow all users to do ICMP echo requests (ping) + "net.ipv4.ping_group_range" = mkDefault "0 2147483647"; # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl; } // listToAttrs (forEach interfaces |