Re: make ping executable by normal users?
On Mon 06 Jun 2016 at 18:38:55 (+0200), Norbert Kiszka wrote:
> Dnia 2016-06-06, pon o godzinie 11:26 -0500, David Wright pisze:
> > On Mon 06 Jun 2016 at 18:11:27 (+0200), Norbert Kiszka wrote:
> > > Dnia 2016-06-06, pon o godzinie 11:00 -0500, David Wright pisze:
> > > > On Mon 06 Jun 2016 at 15:27:16 (+0000), Mark Fletcher wrote:
> > > > > On Mon, 6 Jun 2016 at 23:15, Santiago Vila <sanvila@unex.es> wrote:
> > > > >
> > > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > > Check your firewall rules.
> > > > > >
> > > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > > >
> > > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > > >
> > > > > > then try to ping anywhere. You will get a different error message,
> > > > > > namely "Destination Port Unreachable".
> > > > > >
> > > > > > [ Why people do not read all messages in the thread before answering
> > > > > > is a mystery to me ].
> > > >
> > > > > No, that's not true, you definitely can get this very error due to
> > > > > something to do with the firewall, maybe it's not able to resolve the ping
> > > > > target rather than not able to reach the resulting host, I'm damned if I
> > > > > can remember the specifics but I've definitely seen this happen on an lfs
> > > > > box before and it was nothing to do with perms (as I said before, to your
> > > > > point about people not reading the whole thread...)
> > > >
> > > > I don't understand this argument.
> > > >
> > > > Why would ping bother to open a socket to a host it couldn't resolve?
> > > >
> > > > I know precious little about firewall rules, but AIUI the rules
> > > > determine whether to respond with things like Drop, Reject, Deny.
> > > > Now the OP didn't manage to open a socket; that's in the error message:
> > > > "ping: icmp open socket: Operation not permitted"
> > > > So how would ping find out how the firewall was going to react to its
> > > > ping message without opening a socket to send something?
> > >
> > > Did You change linux kernel, kernel modules or something lastly?
> >
> > I now know even less about what you're talking about. I don't have a
> > problem. I have easily duplicated the OP's error message in the
> > following way:
> >
> > $ cp -ip /bin/ping /tmp
> > $ /tmp/ping alum.local
> > ping: icmp open socket: Operation not permitted
> > $ /sbin/getcap /tmp/ping
> > $ /sbin/getcap /bin/ping
> > /bin/ping = cap_net_raw+ep
> > $
> >
> > That's jessie. On wheezy:
> >
> > $ ls -l /bin/ping /tmp/ping
> > -rwsr-xr-x 1 root root 31104 Apr 12 2011 /bin/ping
> > -rwxr-xr-x 1 david david 31104 Apr 12 2011 /tmp/ping
>
> Show output of those commands:
>
> # iptables -L
> # lsmod
> $ uname -a
> $ cat /etc/issue
Gladly, though I think you're taking an unhealthy interest in *my* machine.
# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
Bear in mind that I rebooted after making the change posted in this thread,
so that change is lost.
$ lsmod
Module Size Used by
iptable_filter 12488 0
ip_tables 16975 1 iptable_filter
x_tables 17978 2 ip_tables,iptable_filter
ctr 12807 2
ccm 17361 2
snd_hrtimer 12540 1
snd_seq_midi 12744 0
snd_seq_midi_event 13124 1 snd_seq_midi
snd_rawmidi 22372 1 snd_seq_midi
snd_seq 51562 3 snd_seq_midi_event,snd_seq_midi
snd_seq_device 12980 3 snd_seq,snd_rawmidi,snd_seq_midi
bnep 17184 2
cpufreq_powersave 12422 0
cpufreq_userspace 12477 0
cpufreq_conservative 13872 0
cpufreq_stats 12694 0
nfsd 236959 2
auth_rpcgss 45765 1 nfsd
oid_registry 12387 1 auth_rpcgss
nfs_acl 12463 1 nfsd
nfs 168022 0
lockd 73443 2 nfs,nfsd
fscache 44782 1 nfs
sunrpc 211341 6 nfs,nfsd,auth_rpcgss,lockd,nfs_acl
joydev 16847 0
ecb 12649 1
btusb 25417 0
bluetooth 340064 21 bnep,btusb
6lowpan_iphc 16548 1 bluetooth
iTCO_wdt 12727 0
iTCO_vendor_support 12585 1 iTCO_wdt
snd_hda_codec_idt 48266 1
snd_hda_codec_generic 58021 2 snd_hda_codec_idt
arc4 12480 2
dell_wmi 12437 0
sparse_keymap 12730 1 dell_wmi
tg3 154678 0
iwl3945 53405 0
iwlegacy 53921 1 iwl3945
mac80211 425575 2 iwl3945,iwlegacy
snd_hda_intel 26023 0
ptp 17462 1 tg3
coretemp 12708 0
pps_core 17080 1 ptp
libphy 27468 1 tg3
snd_hda_controller 26262 1 snd_hda_intel
sdhci_pci 17697 0
snd_hda_codec 93797 4 snd_hda_codec_idt,snd_hda_codec_generic,snd_hda_intel,snd_hda_controller
cfg80211 350041 3 iwl3945,iwlegacy,mac80211
sdhci 34721 1 sdhci_pci
kvm 330411 0
pcmcia 44245 0
dell_laptop 16941 0
mmc_core 91803 2 sdhci,sdhci_pci
yenta_socket 38561 0
snd_hwdep 12906 1 snd_hda_codec
rfkill 18387 5 cfg80211,bluetooth,dell_laptop
psmouse 93505 0
snd_pcm_oss 44124 0
firewire_ohci 34856 0
dcdbas 13087 1 dell_laptop
pcmcia_rsrc 17292 1 yenta_socket
sg 25573 0
i2c_i801 16845 0
serio_raw 12737 0
snd_mixer_oss 21822 1 snd_pcm_oss
lpc_ich 16616 0
mfd_core 12537 1 lpc_ich
pcmcia_core 18024 3 pcmcia,pcmcia_rsrc,yenta_socket
uhci_hcd 38948 0
snd_pcm 78128 4 snd_pcm_oss,snd_hda_codec,snd_hda_intel,snd_hda_controller
shpchp 30673 0
ehci_pci 12464 0
tpm_tis 17063 0
snd_timer 26105 3 snd_hrtimer,snd_pcm,snd_seq
snd 55101 13 snd_pcm_oss,snd_hwdep,snd_timer,snd_hda_codec_idt,snd_pcm,snd_seq,snd_rawmidi,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel,snd_seq_device,snd_mixer_oss
rng_core 12645 0
ehci_hcd 64933 1 ehci_pci
tpm 26879 1 tpm_tis
usbcore 171098 4 btusb,uhci_hcd,ehci_hcd,ehci_pci
usb_common 12408 1 usbcore
soundcore 12890 2 snd,snd_hda_codec
wmi 17147 1 dell_wmi
evdev 17136 4
battery 13164 0
ac 12627 0
acpi_cpufreq 17050 0
processor 27590 3 acpi_cpufreq
binfmt_misc 12733 1
loop 21987 0
firewire_sbp2 17533 0
firewire_core 51113 2 firewire_ohci,firewire_sbp2
crc_itu_t 12331 1 firewire_core
fuse 77496 1
parport_pc 26004 0
ppdev 16686 0
lp 12766 0
parport 35213 3 lp,ppdev,parport_pc
autofs4 34865 2
ext4 438464 3
crc16 12327 2 ext4,bluetooth
mbcache 17027 1 ext4
jbd2 72964 1 ext4
sd_mod 43684 5
crc_t10dif 12399 1 sd_mod
crct10dif_generic 12517 1
crct10dif_common 12340 2 crct10dif_generic,crc_t10dif
ata_generic 12450 0
ata_piix 29371 4
libata 161908 2 ata_generic,ata_piix
scsi_mod 164132 4 sg,libata,sd_mod,firewire_sbp2
i915 762655 1
i2c_algo_bit 12647 1 i915
drm_kms_helper 44450 1 i915
video 17763 1 i915
thermal 17343 0
button 12824 1 i915
drm 207686 3 i915,drm_kms_helper
i2c_core 36838 5 drm,i915,i2c_i801,drm_kms_helper,i2c_algo_bit
thermal_sys 27122 3 video,thermal,processor
$
Why root?
$ uname -a
Linux west 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) i686 GNU/Linux
$ cat /etc/issue
Debian GNU/Linux 8 \n \l
$
I don't think you'll learn much from that lot, but happy to oblige.
Cheers,
David.
Reply to: