Re: make ping executable by normal users?

To: debian-user@lists.debian.org
Subject: Re: make ping executable by normal users?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Mon, 6 Jun 2016 11:26:24 -0500
Message-id: <[🔎] 20160606162624.GB9846@alum>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 1465229487.4300.1.camel@linux.pl>
References: <[🔎] CAC4O8c8KergF4GGpz4RbHKcP7jU2zefCeLL4opL=CG0LVfSoBA@mail.gmail.com> <[🔎] 5754A27E.1020802@omiha.com> <[🔎] 20160606135747.GA24375@cantor.unex.es> <[🔎] CAH6Gj5FnTSuGyK0M_PhvMYsMH6v0j_ppJuRKMbvmYQawB3=sTQ@mail.gmail.com> <[🔎] 20160606160011.GA8996@alum> <[🔎] 1465229487.4300.1.camel@linux.pl>

On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > On Mon 06 Jun 2016 at 15:27:16 (+0000), Mark Fletcher wrote:
> > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila <sanvila@unex.es> wrote:
> > > 
> > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > Check your firewall rules.
> > > >
> > > > It can't be firewall rules. Try this to block outgoing ping:
> > > >
> > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > >
> > > > then try to ping anywhere. You will get a different error message,
> > > > namely "Destination Port Unreachable".
> > > >
> > > > [ Why people do not read all messages in the thread before answering
> > > >   is a mystery to me ].
> > 
> > > No, that's not true, you definitely can get this very error due to
> > > something to do with the firewall, maybe it's not able to resolve the ping
> > > target rather than not able to reach the resulting host, I'm damned if I
> > > can remember the specifics but I've definitely seen this happen on an lfs
> > > box before and it was nothing to do with perms (as I said before, to your
> > > point about people not reading the whole thread...)
> > 
> > I don't understand this argument.
> > 
> > Why would ping bother to open a socket to a host it couldn't resolve?
> > 
> > I know precious little about firewall rules, but AIUI the rules
> > determine whether to respond with things like Drop, Reject, Deny.
> > Now the OP didn't manage to open a socket; that's in the error message:
> > "ping: icmp open socket: Operation not permitted"
> > So how would ping find out how the firewall was going to react to its
> > ping message without opening a socket to send something?
> 
> Did You change linux kernel, kernel modules or something lastly?

I now know even less about what you're talking about. I don't have a
problem. I have easily duplicated the OP's error message in the
following way:

$ cp -ip /bin/ping /tmp
$ /tmp/ping alum.local
ping: icmp open socket: Operation not permitted
$ /sbin/getcap /tmp/ping 
$ /sbin/getcap /bin/ping 
/bin/ping = cap_net_raw+ep
$ 

That's jessie. On wheezy:

$ ls -l /bin/ping /tmp/ping
-rwsr-xr-x 1 root  root  31104 Apr 12  2011 /bin/ping
-rwxr-xr-x 1 david david 31104 Apr 12  2011 /tmp/ping

Cheers,
David.

Reply to:

Follow-Ups:
- Re: make ping executable by normal users?
  - From: Norbert Kiszka <norbert@linux.pl>

References:
- make ping executable by normal users?
  - From: Britton Kerin <britton.kerin@gmail.com>
- Re: make ping executable by normal users?
  - From: Jan Bakuwel <jan.bakuwel@omiha.com>
- Re: make ping executable by normal users?
  - From: Santiago Vila <sanvila@unex.es>
- Re: make ping executable by normal users?
  - From: Mark Fletcher <mark27q1@gmail.com>
- Re: make ping executable by normal users?
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: make ping executable by normal users?
  - From: Norbert Kiszka <norbert@linux.pl>

Prev by Date: Re: make ping executable by normal users?
Next by Date: Re: make ping executable by normal users?
Previous by thread: Re: make ping executable by normal users?
Next by thread: Re: make ping executable by normal users?
Index(es):
- Date
- Thread