[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: make ping executable by normal users?

On Mon, Jun 06, 2016 at 11:29:52AM -0500, David Wright wrote:
> On Mon 06 Jun 2016 at 19:26:04 (+0300), Reco wrote:
> > On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> > > On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > > > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > > > Check your firewall rules.
> > > > > 
> > > > > It can't be firewall rules. Try this to block outgoing ping:
> > > > > 
> > > > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > > > 
> > > > > then try to ping anywhere. You will get a different error message,
> > > > > namely "Destination Port Unreachable".
> > > > 
> > > > But if you transform the rule in question a little, like this:
> > > > 
> > > > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > > > 	-j REJECT --reject-with icmp-admin-prohibited
> > > > 
> > > > ping will respond with 'Operation not permitted'. An exact wording of the
> > > > message seems to depend on actual ping implementation.
> > > > 
> > > > So, checking firewall rules is a valid advice. It's just this particular
> > > > problem happens due to lack of file capabilities.
> > > 
> > > # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-admin-prohibited
> > > 
> > > $ ping alum.local
> > > PING alum.local (192.168.1.19) 56(84) bytes of data.
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > >From 192.168.1.15 icmp_seq=1 Packet filtered
> > > ping: sendmsg: Operation not permitted
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > ping: recvmsg: No route to host
> > > [ad infinitum]
> > 
> > As I wrote earlier - it depends on the implementation of a ping. For me
> > it looks like this:
> > 
> > $ dpkg -S $(which ping)
> > iputils-ping: /bin/ping
> > $ ping -c2 localhost
> > PING localhost (127.0.0.1) 56(84) bytes of data.
> > ping: sendmsg: Operation not permitted
> > ping: sendmsg: Operation not permitted
> > <long hang>
> > ^C
> > --- localhost ping statistics ---
> > 2 packets transmitted, 0 received, 100% packet loss, time 1007ms
> 
> But the OP's error message was
> "ping: icmp open socket: Operation not permitted"
> and not
> "ping: sendmsg: Operation not permitted"

Yes, and "aptitude search '~nping'" shows 41 result for me (42 actually
if you count busybox).
I'm somewhat lazy to test each and every implementation of ping to check
which one fails in 'icmp open socket' instead of 'sendmsg'.

So, my point is - it's entirely possible to get EPERM in ping by
misconfiguring iptables. I agree that it's also possible to get EPERM in
ping by denying it CAP_NET_RAW capability.

Reco
Reply to: