[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: make ping executable by normal users?

On Mon 06 Jun 2016 at 19:26:04 (+0300), Reco wrote:
> On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> > On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > Check your firewall rules.
> > > > 
> > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > 
> > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > 
> > > > then try to ping anywhere. You will get a different error message,
> > > > namely "Destination Port Unreachable".
> > > 
> > > But if you transform the rule in question a little, like this:
> > > 
> > > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > > 	-j REJECT --reject-with icmp-admin-prohibited
> > > 
> > > ping will respond with 'Operation not permitted'. An exact wording of the
> > > message seems to depend on actual ping implementation.
> > > 
> > > So, checking firewall rules is a valid advice. It's just this particular
> > > problem happens due to lack of file capabilities.
> > 
> > # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-admin-prohibited
> > 
> > $ ping alum.local
> > PING alum.local (192.168.1.19) 56(84) bytes of data.
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > ping: sendmsg: Operation not permitted
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > ping: recvmsg: No route to host
> > [ad infinitum]
> 
> As I wrote earlier - it depends on the implementation of a ping. For me
> it looks like this:
> 
> $ dpkg -S $(which ping)
> iputils-ping: /bin/ping
> $ ping -c2 localhost
> PING localhost (127.0.0.1) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
> <long hang>
> ^C
> --- localhost ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1007ms

But the OP's error message was
"ping: icmp open socket: Operation not permitted"
and not
"ping: sendmsg: Operation not permitted"

Cheers,
David.
Reply to: