18

As far as I know, ping needs to create a raw socket (which needs either root access or cap_net_raw capabilities).

From my understanding the trend these last years has been to remove setuid binaries and replaced them with capabilities.

However when I look at the ping binary on my Fedora 32, it doesn't look to have any:

$ ls -la $(which ping)
-rwxr-xr-x. 1 root root 82960 May 18 10:26 /usr/bin/ping
$ sudo getcap -v $(which ping)
/usr/bin/ping
$

Does ping need to open raw socket on fedora? Or is there another way to give it the permission to open a raw socket?

Glorfindel
  • 805
  • 2
  • 10
  • 19
Antoine Catton
  • 309
  • 2
  • 10

2 Answers2

19

I think https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange answers your question:

Enable the Linux kernel's net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

Cross-reference detail

  • Targeted release: Fedora 31
  • Last updated: 2019-08-13
  • Tracker bug: #1740809
  • Release notes tracker: #376

The sysctl documentation writes,

ping_group_range - 2 INTEGERS

Restrict ICMP_PROTO datagram sockets to users in the group range. The default is "1 0", meaning, that nobody (not even root) may create ping sockets. Setting it to "100 100" would grant permissions to the single group. "0 4294967295" would enable it for the world, "100 4294967295" would enable it for the users, but not daemons.

An older code example demonstrates the use of this feature, and in particular shows that a socket is created with the IPPROTO_ICMP flag to identify that it will be used for raw ICMP

int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)
roaima
  • 107,089
  • 14
  • 139
  • 261
  • How does this work? I've done no investigation into this, but I would have thought that attempting to create a raw socket without CAP_NET_RAW would fail, which would give the kernel no opportunity to selectively permit a program to generate ICMP Echo packets because the program would fail before it gets that far. Is there a separate syscall to send Echo Request? Or does the kernel allow anyone to open a raw socket then check permissions only when a read or write is attempted? – user3553031 Jun 16 '20 at 08:11
  • @user3553031 answer updated – roaima Jun 16 '20 at 08:43
  • Ah, it doesn't use a raw socket. I didn't realize that there was a separate option for sending ICMP from userspace. – user3553031 Sep 02 '20 at 22:55
12

from Fedora 31 the kernel parameter net.ipv4.ping_group_range has been set to cover all groups.

This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

sysctl net.ipv4.ping_group_range

net.ipv4.ping_group_range = 0   2147483647
binarysta
  • 2,912
  • 10
  • 14