How does ping work on Fedora without setuid and capabilities?

by

As far as I know, ping needs to create a raw socket (which needs either root access or cap_net_raw capabilities).

From my understanding the trend these last years has been to remove setuid binaries and replaced them with capabilities.

However when I look at the ping binary on my Fedora 32, it doesn’t look to have any:

$ ls -la $(which ping)
-rwxr-xr-x. 1 root root 82960 May 18 10:26 /usr/bin/ping
$ sudo getcap -v $(which ping)
/usr/bin/ping
$

Does ping need to open raw socket on fedora? Or is there another way to give it the permission to open a raw socket?

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I think https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange answers your question:

Enable the Linux kernel’s net.ipv4.ping_group_range parameter to cover all groups. This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

Cross-reference detail

  • Targeted release: Fedora 31
  • Last updated: 2019-08-13
  • Tracker bug: #1740809
  • Release notes tracker: #376

The sysctl documentation writes,

ping_group_range – 2 INTEGERS

Restrict ICMP_PROTO datagram sockets to
users in the group range. The default is “1 0“, meaning, that nobody
(not even root) may create ping sockets. Setting it to “100 100
would grant permissions to the single group. “0 4294967295” would
enable it for the world, “100 4294967295” would enable it for the
users, but not daemons.

An older code example demonstrates the use of this feature, and in particular shows that a socket is created with the IPPROTO_ICMP flag to identify that it will be used for raw ICMP

int sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)

Method 2

from Fedora 31 the kernel parameter net.ipv4.ping_group_range has been set to cover all groups.

This will let all users on the operating system create ICMP Echo sockets without using setuid binaries, or having the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.

sysctl net.ipv4.ping_group_range

net.ipv4.ping_group_range = 0   2147483647


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x