Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0.92 mtr: Failure to start mtr-packet: Invalid argument on macOS 10.12 #204

Closed
ilovezfs opened this issue Jun 17, 2017 · 24 comments
Closed

0.92 mtr: Failure to start mtr-packet: Invalid argument on macOS 10.12 #204

ilovezfs opened this issue Jun 17, 2017 · 24 comments

Comments

@ilovezfs
Copy link

ilovezfs commented Jun 17, 2017
edited
Loading

This was reported to Homebrew in Homebrew/homebrew-core#14669 and does not appear to affect 0.87, which the previous version we had before recently updating the formula.

Tested on macOS 10.12.5 and built with Xcode 8.3.2.

bash-3.2$ sudo /usr/local/sbin/mtr
mtr: Failure to start mtr-packet: Invalid argument

This does not appear to be an issue on OS X 10.11.6. UPDATE: I had /usr/local/sbin in the PATH on the 10.11.6 box.
@ilovezfs ilovezfs mentioned this issue Jun 17, 2017
Closed
5 tasks
@matt-kimball
Copy link
Contributor

Is mtr-packet in your PATH? It is a new subprocess, introduced since 0.87, but it must be installed along with the mtr binary, usually also in /usr/local/sbin, and also in your PATH.

FYI, mtr is working as expected for me on MacOS 10.12.5, though I still have Xcode 8.2 installed.

@JCount
Copy link

JCount commented Jun 18, 2017

This appears to have been a user configuration issue. The user was calling the mtr executable directly, but without /usr/local/sbin in the path, mtr was unable to execute the installed mtr-packet binary.

@rewolff
Copy link
Collaborator

rewolff commented Jun 18, 2017

Matt, would it be an idea to add

char buf[256];
strcpy (buf, orig_argv0);
strcat (buf, "-packet");
execl (buf, buf,  NULL);

to the exec_packet_child function? (and orig_argv0 = argv[0] to main(). )

@ilovezfs
Copy link
Author

Thanks @matt-kimball. Yes, it does work if I add /usr/local/sbin to the PATH. However, this still seems like a bug since it "should" be possible to use mtr by invoking the full path to the executable without having to add all of /usr/local/sbin to your PATH.

@matt-kimball
Copy link
Contributor

Indeed -- it would be a good idea to do something similar to what @rewolff suggests to help find mtr-packet when it is not in the PATH.

@aquerubin
Copy link
Contributor

aquerubin commented Jul 15, 2017 via email

@jmosmap
Copy link

jmosmap commented Aug 29, 2017

Can't run mtr for the same reason from two different machines.

@jnjeG
Copy link

jnjeG commented Sep 21, 2017
edited
Loading

how to add them to "PATH"
http://www.flakor.cn/2014-09-14-714.html

@mhutter
Copy link

mhutter commented Sep 21, 2017

Use this alias as a workaround:

mtr='PATH=/usr/local/sbin:$PATH sudo mtr'

@7rakesh
Copy link

7rakesh commented May 14, 2018

I was able to fix this issue with following path

export PATH=/opt/local/bin:/usr/local/Cellar/mtr/0.92/sbin/:$PATH

@rewolff
Copy link
Collaborator

rewolff commented May 15, 2018

I added the fix to the code almost a year ago, but it could very well be that I have not yet tagged another "release". Sorry about that.

@Chr0213
Copy link

Chr0213 commented May 20, 2018

Thanks @7rakesh !!

@slmingol
Copy link

Simply adding this to your ~/.bash_profile on OSX does the trick:

export PATH=$PATH:/usr/local/sbin

Then to use it:

$ . ~/.bash_profile
$ sudo mtr www.google.com

@RuyProserv
Copy link

thanks

@carlnc
Copy link

carlnc commented Apr 18, 2019
edited
Loading

Alternative to alias method:

Create new file: /usr/local/bin/mtr

#!/bin/bash
PATH=$PATH:/usr/local/sbin sudo /usr/local/sbin/mtr "$@"

Fix up permissions:

chmod 775 /usr/local/bin/mtr

Run:

mtr 192.168.0.1

@rewolff
Copy link
Collaborator

rewolff commented Apr 18, 2019

The whole idea of the mtr / mtr-packet split is that mtr has grown to a big gui application with lots of IO modules. Programs like that should not run with root permissions. So mtr-packet is a small simple extract that just does the things that need root-permissions. That should be the only thing that runs with root permissions. Your suggestion subverts this security measure by again running the big mtr application with root privileges.....

@carlnc
Copy link

carlnc commented Apr 27, 2019
edited
Loading

@rewolff
I take your point and totally agree.

tl;dr

The way Brew installs mtr could do with some "polish".

Details

https://github.com/Homebrew/homebrew-core/blob/master/Formula/mtr.rb#L36

What brew currently does

# ls -l /usr/local/sbin/mtr*
lrwxr-xr-x <myusername> admin /usr/local/sbin/mtr -> /usr/local/Cellar/mtr/0.92/sbin/mtr*
lrwxr-xr-x <myusername> admin /usr/local/sbin/mtr-packet -> /usr/local/Cellar/mtr/0.92/sbin/mtr-packet*

# ls -l  /usr/local/Cellar/mtr/0.92/sbin/
-r-xr-xr-x <myusername> staff mtr*
-r-xr-xr-x <myusername> staff mtr-packet*

What brew should do (or something like it)

  1. Both mtr and mtr-packet should be accessible via /usr/local/bin (not sbin), and
  2. setuid root on mtr-packet (ie: chmod 4555 mtr-packet)

Unfortunately the problem with point 2 above is that /usr/local/bin is not owned by root (and thus setuid will no work)

# ls -ld /usr{,/bin,/sbin,/local{,/bin,/sbin}}
drwxr-xr-x@   9 root            wheel    288 21 Sep  2018 /usr
drwxr-xr-x  971 root            wheel  31072  4 Apr 10:25 /usr/bin
drwxr-xr-x   15 root            wheel    480 28 Apr 08:47 /usr/local
drwxrwxr-x  402 <myusername>    admin  12864 28 Apr 08:07 /usr/local/bin
drwxrwxr-x    4 <myusername>    admin    128 18 Apr 14:42 /usr/local/sbin
drwxr-xr-x  239 root            wheel   7648  4 Apr 10:25 /usr/sbin

Edit: I just broke my internets googling for "brew setuid /usr/local/bin".

@moovs
Copy link

moovs commented Nov 9, 2020

Simply adding this to your ~/.bash_profile on OSX does the trick:

export PATH=$PATH:/usr/local/sbin

Then to use it:

$ . ~/.bash_profile
$ sudo mtr www.google.com

why it works only with sudo?

@rewolff
Copy link
Collaborator

rewolff commented Nov 9, 2020

MTR needs low-level access to the packets flying around on the wire. The normal API: "Connect me to this website please" does not work to do the things that mtr needs to do. With such low-level access, you could also compromise the security of the local network (Some computers are configured to allow: "Hey there computerY, this is computerX, joe wants to login, you can trust me, I checked it is really joe") Low level access would allow you to fake/forge that conversation.

So for cases like this, the OS allows a program to be trusted to A) not allow such fakery and B) provide their own security measures. So a program like "ping" and "mtr" is installed "setuid root". It will obtain superuser privileges when started. It can then access all files, change essential system parameters and access the network in funny ways. These programs are then written so that they don't do any of the first few things, and only some funny things with the network. The "own security rules" are for example, repeating frequency not above 1x per second. The superuser can request such network-bogging requests, but normal users cannot.

If your mtr only works with sudo, then it is not fully installed with elevated privileges. Modern systems provide a slightly more restricted version of "setuid-root", so that the system operator does not need to trust mtr not to divulge other users' file contents. It has happened in the past that a program that required "setuid root" for networking stuff then had a bug that allowed a malicious user to abuse the "all files" permission. So nowadays these extra permissions are only assigned "as needed". If mtr were to have a bug that gave a hacker access to all mtr's privileges, then he'd be restricted to only the networking privileges. As less-and-less computers are configured to trust "computerX" on its word "Joe? Really? Prove it! " this is not as critical as it used to be. Still the potential for messing with things is there. Forging packets with "Hey, google here, your connection could not be serviced. Get lost!" is something that you'd be able to annoy other users with....

@moovs
Copy link

moovs commented Nov 9, 2020

MTR needs low-level access to the packets flying around on the wire. The normal API: "Connect me to this website please" does not work to do the things that mtr needs to do. With such low-level access, you could also compromise the security of the local network (Some computers are configured to allow: "Hey there computerY, this is computerX, joe wants to login, you can trust me, I checked it is really joe") Low level access would allow you to fake/forge that conversation.

So for cases like this, the OS allows a program to be trusted to A) not allow such fakery and B) provide their own security measures. So a program like "ping" and "mtr" is installed "setuid root". It will obtain superuser privileges when started. It can then access all files, change essential system parameters and access the network in funny ways. These programs are then written so that they don't do any of the first few things, and only some funny things with the network. The "own security rules" are for example, repeating frequency not above 1x per second. The superuser can request such network-bogging requests, but normal users cannot.

If your mtr only works with sudo, then it is not fully installed with elevated privileges. Modern systems provide a slightly more restricted version of "setuid-root", so that the system operator does not need to trust mtr not to divulge other users' file contents. It has happened in the past that a program that required "setuid root" for networking stuff then had a bug that allowed a malicious user to abuse the "all files" permission. So nowadays these extra permissions are only assigned "as needed". If mtr were to have a bug that gave a hacker access to all mtr's privileges, then he'd be restricted to only the networking privileges. As less-and-less computers are configured to trust "computerX" on its word "Joe? Really? Prove it! " this is not as critical as it used to be. Still the potential for messing with things is there. Forging packets with "Hey, google here, your connection could not be serviced. Get lost!" is something that you'd be able to annoy other users with....

gracefully thanks you!)

@jkldgoefgkljefogeg
Copy link

jkldgoefgkljefogeg commented Oct 21, 2021
edited
Loading

note that /usr/local/sbin/ needs to be in root's $PATH, I ended up also adding alias mtr='sudo -E mtr' to .bash_profile

host:~ $ which mtr
/usr/local/sbin/mtr
host:~ $ which mtr-packet
/usr/local/sbin/mtr-packet
host:~ $ sudo mtr 8.8.8.8
mtr: Failure to start mtr-packet: Invalid argument

host:~ $ sudo su
sh-3.2# echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin

@holzschu holzschu mentioned this issue Jan 7, 2022
Closed
@aakashvarma
Copy link

aakashvarma commented Aug 23, 2022
edited
Loading

It was a permission issue. Do the following:

cd /usr/local/bin
sudo ln -s /usr/local/Cellar/mtr/0.95/sbin/mtr mtr
sudo ln -s /usr/local/Cellar/mtr/0.95/sbin/mtr-packet mtr-packet
sudo mtr < hostname>

this worked for me.

@holzschu holzschu mentioned this issue Mar 8, 2023
Closed
@powersj powersj mentioned this issue Apr 12, 2023
Open
@gaurav9822
Copy link

running it like sudo mtr www.google.com worked for me

@Olshansk
Copy link

alias mtr='sudo mtr'

I suggested adding the above to your .rc so you don't forget to always use sudo with mtr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests