Re: make ping executable by normal users?

To: debian-user@lists.debian.org
Subject: Re: make ping executable by normal users?
From: Reco <recoverym4n@gmail.com>
Date: Mon, 6 Jun 2016 19:26:04 +0300
Message-id: <[🔎] 20160606162601.GA10497@e1030>
In-reply-to: <[🔎] 20160606161411.GA9846@alum>
References: <[🔎] CAC4O8c8KergF4GGpz4RbHKcP7jU2zefCeLL4opL=CG0LVfSoBA@mail.gmail.com> <[🔎] 5754A27E.1020802@omiha.com> <[🔎] 20160606135747.GA24375@cantor.unex.es> <[🔎] 20160606154727.GA9110@e1030> <[🔎] 20160606161411.GA9846@alum>

On Mon, Jun 06, 2016 at 11:14:11AM -0500, David Wright wrote:
> On Mon 06 Jun 2016 at 18:47:30 (+0300), Reco wrote:
> > On Mon, Jun 06, 2016 at 03:57:47PM +0200, Santiago Vila wrote:
> > > On Mon, Jun 06, 2016 at 10:06:54AM +1200, Jan Bakuwel wrote:
> > > > Check your firewall rules.
> > > 
> > > It can't be firewall rules. Try this to block outgoing ping:
> > > 
> > > iptables -A OUTPUT -p icmp --icmp-type echo-request -j REJECT
> > > 
> > > then try to ping anywhere. You will get a different error message,
> > > namely "Destination Port Unreachable".
> > 
> > But if you transform the rule in question a little, like this:
> > 
> > iptables -I OUTPUT -p icmp --icmp-type echo-request \
> > 	-j REJECT --reject-with icmp-admin-prohibited
> > 
> > ping will respond with 'Operation not permitted'. An exact wording of the
> > message seems to depend on actual ping implementation.
> > 
> > So, checking firewall rules is a valid advice. It's just this particular
> > problem happens due to lack of file capabilities.
> 
> # iptables -I OUTPUT -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-admin-prohibited
> 
> $ ping alum.local
> PING alum.local (192.168.1.19) 56(84) bytes of data.
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> >From 192.168.1.15 icmp_seq=1 Packet filtered
> ping: sendmsg: Operation not permitted
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> ping: recvmsg: No route to host
> [ad infinitum]

As I wrote earlier - it depends on the implementation of a ping. For me
it looks like this:

$ dpkg -S $(which ping)
iputils-ping: /bin/ping
$ ping -c2 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
<long hang>
^C
--- localhost ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1007ms

Reco

Reply to:

Follow-Ups:
- Re: make ping executable by normal users?
  - From: David Wright <deblis@lionunicorn.co.uk>

References:
- make ping executable by normal users?
  - From: Britton Kerin <britton.kerin@gmail.com>
- Re: make ping executable by normal users?
  - From: Jan Bakuwel <jan.bakuwel@omiha.com>
- Re: make ping executable by normal users?
  - From: Santiago Vila <sanvila@unex.es>
- Re: make ping executable by normal users?
  - From: Reco <recoverym4n@gmail.com>
- Re: make ping executable by normal users?
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: make ping executable by normal users?
Next by Date: Re: make ping executable by normal users?
Previous by thread: Re: make ping executable by normal users?
Next by thread: Re: make ping executable by normal users?
Index(es):
- Date
- Thread