My three computers have the Leap 15.3 operating system. On one of them, only root can invoke ping. When a normal user tries to do so, ping is not executed, but this error message is displayed: ping: socket: Operation not permitted What does it mean? Any remedy? Best regards, Wolfgang
Disclaimer | Use of IBA e-communication<https://iba-worldwide.com/disclaimer> The contents of this e-mail message and any attachments are intended solely for the recipient (s) named above. This communication is intended to be and to remain confidential and may be protected by intellectual property rights. Any use of the information contained herein (including but not limited to, total or partial reproduction, communication or distribution of any form) by persons other than the designated recipient(s) is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free. Ion Beam Applications does not accept liability for any such errors. Thank you for your cooperation.
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
(I don't use 15.3 yet, so my answer is based on 15.2)
ping needs special "capabilities" to be called by a regular user. These are defined in /etc/permissions.easy (unless you changed the default security level).
To re-apply the required capabilities, type:
# chkstat --system /usr/bin/ping
Thank you a lot, Philippe! I typed the chkstat command, and ping works again without groans.
(as root, obviously). You may need to do the same for 'ping6'.
That was not necessary.
Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly. Thank you again and best regards, Wolfgang
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping. The active security level is configured in /etc/sysconfig/security: PERMISSION_SECURITY="easy local" That is the default. chkstat --warn --system this verifies but does not change the permissions. To change them, do: chkstat --system I think there is a cron job or timer that verifies them periodically. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
[...] Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security: PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes I think there is no necessity to modify any of them. Best regards, Wolfgang
On 19/08/2021 12.02, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
[...] Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security:
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes
I think there is no necessity to modify any of them.
Ah, found the reference. See: <https://lists.opensuse.org/archives/list/users@lists.opensuse.org/message/RISSI3GOF3KENWEF2D3AVWJX7ZJMNXT4/> -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-08-19 06:02, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
[...] Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security:
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes
I think there is no necessity to modify any of them.
No, but you might want to modify /etc/permissions.local for any one of a number of reasons. There is also /etc/permissions.d/ I have postfix there, but I'm not sure how to alter PERMISSION_SECURITY to take note of it. -- “Reality is so complex, we must move away from dogma, whether it’s conspiracy theories or free-market,” -- James Glattfelder. http://jth.ch/jbg
On 19/08/2021 13.38, Anton Aylward wrote:
On 2021-08-19 06:02, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
[...] Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security:
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes
I think there is no necessity to modify any of them.
No, but you might want to modify /etc/permissions.local for any one of a number of reasons.
There is also /etc/permissions.d/ I have postfix there, but I'm not sure how to alter PERMISSION_SECURITY to take note of it.
When you run "chkstat --system" it takes note of it. What I have not found is if there is a cron job or systemd timer that checks. I know that there is a zypper plugin that does, "permissions-zypp-plugin", which should run after zypper installs packages. I have noticed that there are a number of security script timers that do not run by default: Telcontar:~ # systemctl status seccheck-[tab][tab] seccheck-autologout.service seccheck-daily.service seccheck-monthly.service seccheck-weekly.service seccheck-autologout.timer seccheck-daily.timer seccheck-monthly.timer seccheck-weekly.timer Telcontar:~ # -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On Thu, 19 Aug 2021 13:47:48 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 19/08/2021 13.38, Anton Aylward wrote:
On 2021-08-19 06:02, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote:
[...] Also, there are now many more utilities that rely on these capabilities (check 'permissions.easy' to find out which), so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security:
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes
I think there is no necessity to modify any of them.
No, but you might want to modify /etc/permissions.local for any one of a number of reasons.
There is also /etc/permissions.d/ I have postfix there, but I'm not sure how to alter PERMISSION_SECURITY to take note of it.
When you run "chkstat --system" it takes note of it.
What I have not found is if there is a cron job or systemd timer that checks.
I doubt it. If I have deliberately chmod-ded a directory, it would be very annoying to be repeatedly 'warned' about it every day or whenever. :(
I know that there is a zypper plugin that does, "permissions-zypp-plugin", which should run after zypper installs packages.
I have noticed that there are a number of security script timers that do not run by default:
Telcontar:~ # systemctl status seccheck-[tab][tab] seccheck-autologout.service seccheck-daily.service seccheck-monthly.service seccheck-weekly.service seccheck-autologout.timer seccheck-daily.timer seccheck-monthly.timer seccheck-weekly.timer Telcontar:~ #
On 19/08/2021 21.37, Dave Howorth wrote:
On Thu, 19 Aug 2021 13:47:48 +0200 "Carlos E. R." <> wrote:
On 19/08/2021 13.38, Anton Aylward wrote:
On 2021-08-19 06:02, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 22:40:22 +0200, Carlos E. R. wrote:
On 18/08/2021 21.52, Wolfgang Mueller wrote:
On Wed, 18 Aug 2021 at 15:08:07 +0200, Philippe Andersson wrote: > [...] > Also, there are now many more utilities that rely on these > capabilities (check 'permissions.easy' to find out which), > so you should also make sure the other files are OK.
I do not know how to check 'permissions.easy', but I think it is not necessary since ping works perfectly.
It affects way more than ping.
The active security level is configured in /etc/sysconfig/security:
PERMISSION_SECURITY="easy local"
That is the default.
chkstat --warn --system
this verifies but does not change the permissions. To change them, do:
chkstat --system
I think there is a cron job or timer that verifies them periodically.
These are the only non-comment lines of my /etc/sysconfig/security:
PERMISSION_SECURITY="easy local" PERMISSION_FSCAPS="" CHECK_POLKIT_PRIVS="" POLKIT_DEFAULT_PRIVS="" CHECK_SIGNATURES=yes
I think there is no necessity to modify any of them.
No, but you might want to modify /etc/permissions.local for any one of a number of reasons.
There is also /etc/permissions.d/ I have postfix there, but I'm not sure how to alter PERMISSION_SECURITY to take note of it.
When you run "chkstat --system" it takes note of it.
What I have not found is if there is a cron job or systemd timer that checks.
I doubt it. If I have deliberately chmod-ded a directory, it would be very annoying to be repeatedly 'warned' about it every day or whenever. :(
That doesn't happen, because you write your correct permissions to /etc/permissions.local -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
participants (5)
-
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Philippe Andersson -
Wolfgang Mueller