[opensuse] Friday quiz - ping: socket: Operation not permitted
On Leap15 as a plain user: per@discompi2:~> ping discompi3 ping: socket: Operation not permitted With an strace - socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted) socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied) socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted) Nothing to be seen in apparmor. -- Per Jessen, Zürich (21.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jun 1, 2018 at 2:40 PM, Per Jessen <per@computer.org> wrote:
On Leap15 as a plain user:
per@discompi2:~> ping discompi3 ping: socket: Operation not permitted
With an strace -
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted) socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied) socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted)
Nothing to be seen in apparmor.
what "getcap /usr/bin/ping" says? You may need to install libcap-progs. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 2:40 PM, Per Jessen <per@computer.org> wrote:
On Leap15 as a plain user:
per@discompi2:~> ping discompi3 ping: socket: Operation not permitted
With an strace -
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted) socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied) socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted)
Nothing to be seen in apparmor.
what "getcap /usr/bin/ping" says? You may need to install libcap-progs.
From one Leap15 test system (xen guest)
test150:~ # getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep On the system where I see the problem: discompi2:~ # getcap /usr/bin/ping Failed to get capabilities of file `/usr/bin/ping' (Operation not supported) (root is on NFS if that matters). -- Per Jessen, Zürich (21.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jun 1, 2018 at 3:18 PM, Per Jessen <per@computer.org> wrote:
On the system where I see the problem:
discompi2:~ # getcap /usr/bin/ping Failed to get capabilities of file `/usr/bin/ping' (Operation not supported)
(root is on NFS if that matters).
NFS doesnot support file capabilities. So it is either SUID root or sudo. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:18 PM, Per Jessen <per@computer.org> wrote:
On the system where I see the problem:
discompi2:~ # getcap /usr/bin/ping Failed to get capabilities of file `/usr/bin/ping' (Operation not supported)
(root is on NFS if that matters).
NFS doesnot support file capabilities. So it is either SUID root or sudo.
I would expect ping to be setuid, yes. Looking at test150 (with real disk), ping is setuid, whereas it clearly isn't on discompi1. Not a big problem, just interesting. Thanks taking part in the quiz :-) -- Per Jessen, Zürich (21.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP? /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jun 1, 2018 at 4:28 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP?
That's exactly what capability cap_net_raw allows. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:28 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP?
That's exactly what capability cap_net_raw allows.
Ah right. So when file capabilities don't work on NFS, I'd have to make it setuid or use it as root? /Per -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Jun 1, 2018 at 4:33 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:28 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP?
That's exactly what capability cap_net_raw allows.
Ah right. So when file capabilities don't work on NFS, I'd have to make it setuid or use it as root?
Exactly. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-01 15:36, Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:33 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:28 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote:
I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP?
That's exactly what capability cap_net_raw allows.
Ah right. So when file capabilities don't work on NFS, I'd have to make it setuid or use it as root?
Exactly.
I'm interested, I don't know what these "capabilities" are. Recently I wrote an utility for myself that needs to ping the router, and fails unless it is run as root. Is there some other way, then? -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-06-01 15:36, Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:33 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 4:28 PM, Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Fri, Jun 1, 2018 at 3:34 PM, Per Jessen <per@computer.org> wrote: > > I would expect ping to be setuid, yes.
Why? None of default permissions file shipped with openSUSE makes ping SUID root.
Doesn't ping need a raw socket to do an ICMP?
That's exactly what capability cap_net_raw allows.
Ah right. So when file capabilities don't work on NFS, I'd have to make it setuid or use it as root?
Exactly.
I'm interested, I don't know what these "capabilities" are.
Recently I wrote an utility for myself that needs to ping the router, and fails unless it is run as root. Is there some other way, then?
man capabilities. https://www.insecure.ws/linux/getcap_setcap.html#setting-getting-capabilitie... -- Per Jessen, Zürich (19.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-01 19:38, Per Jessen wrote:
Carlos E. R. wrote:
I'm interested, I don't know what these "capabilities" are.
Recently I wrote an utility for myself that needs to ping the router, and fails unless it is run as root. Is there some other way, then?
man capabilities.
https://www.insecure.ws/linux/getcap_setcap.html#setting-getting-capabilitie...
Thanks, I'll try my code with that :-) -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Ping works for me. On 06/01/2018 07:40 AM, Per Jessen wrote:
On Leap15 as a plain user:
per@discompi2:~> ping discompi3 ping: socket: Operation not permitted
With an strace -
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted) socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied) socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted)
Nothing to be seen in apparmor.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Ping works for me.
You likely have the right cap bit set:
filecap /usr/bin/ping file capabilities /usr/bin/ping net_raw
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
James Knott -
L A Walsh -
Per Jessen