You are not logged in.
Pages: 1
Hi, I have just performed an update of one of my systems (actually a rebuild rather than a simple update) so everythig should be fresh. I now can't ping unless I am root:
ping www.google.com
ping: icmp open socket: Operation not permitted
Has anythig changed that I have missed? I've looked through the news feed and searched the forums but found nothing.
Thanks...
Last edited by starfry (2012-08-01 20:39:57)
Offline
What are the permissions on /usr/bin/ping? It should be suid.
Offline
Works for me.
Permissions on /usr/bin/ping{,6} should be 755. It is not suid as we use capabilities. The following command should give you the same result
# getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
Capabilities are set in the iputils.install that comes with the iputils PKGUILD.
Offline
Find out which package it belongs to.
$ pacman -Qo ping
/usr/bin/ping is owned by iputils 20101006-4
Reinstall it.
# pacman -S iputils
Reboot.
I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).
Offline
Thanks. I reinstalled and now it works. I didn't need to reboot. Prior to reinstall package was
$ pacman -Qo ping
/usr/bin/ping is owned by iputils 20101006-4
$ sudo pacman -S iputils
warning: iputils-20101006-4 is up to date -- reinstalling
$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
So, I've hit on something that I've never encountered before: this capabilities stuff. I will need to go off and read about it.
The way I've always made my system is to automatically build an image with mkarchroot, drop it into place and boot it. Without knowing anything about capabilities would building an image in this way somehow lose that information? This is the first time I've seen this problem, has something changed in the packages that would have made this happen?
Sorry for all the questions, but this is something I have never come across before. (and, thanks for the help!).
*edit*
Just checked on an older system: its 'ping' is /bin/ping and is suid. It is from 'iputils 20101006-2'. The system to which I refer in my post was built on 31/7 and has 'iputils 20101006-4': its 'ping' is /usr/bin/ping and it has a symlink from /bin/ping to that. I can see from the changelog that use of cap_net_raw=ep instead of suid root was introduced at 20101006-3 on June 18th.
*edit again*
Been doing some reading and I suspect that 'tar' does not propagate extended attributes. When I build a system it ends up as a .tar.bz2 that is extraced onto a target system. I suspect this is causing these extended attributes (capabilities) to get lost. I don't know - it's a guess based on googling. Would someone more knowledgable be able to confirm or refute this ?
Last edited by starfry (2012-08-01 16:31:53)
Offline
Use this next time:
https://wiki.archlinux.org/index.php/Fu … with_rsync
... it rsyncs in archive mode, ensuring that symbolic links, devices, permissions and ownerships, among other file attributes are preserved
I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).
Offline
That (using rsync) would assume source and destination are on the same network, which they aren't. Sometimes, these images are installed of a CD in a remote location. Also the build and install may be done at different points in time. But thanks for the suggestion.
Offline
I did a cursory test with rsync (just used -a flag) and the capabilities were not preserved in the destination. It seems (again, cursory) that if a file is copied its capabitlities are lost, but if moved its capabilities are preserved.
Amusingly, even on this relatively obscure topic the Arch wiki is second only to kernel.org in a search for 'linux file capabilities'.
But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner
Offline
Hi, sorry to hijack but I can't ping if not using sudo or root.
I have reinstalled iputils and rebooted as recommended here.
Whenever I try setcap or getcap I get command not found errors.
I'm using btrfs and systemd if that might have anything to do with it?
Many thanks,
P
Offline
command not found error means that the command is not in your path.
Check value of $PATH variable (echo $PATH)
and run command which ping.
Offline
Thanks. I can ping now!
P
Offline
I did a cursory test with rsync (just used -a flag) and the capabilities were not preserved in the destination. It seems (again, cursory) that if a file is copied its capabitlities are lost, but if moved its capabilities are preserved.
rsync can do it though:
$ mkdir /tmp/y
$ sudo /usr/bin/rsync -aAXv /usr/bin/ping /tmp/y/
$ \ls -l /tmp/y
total 36
-rwxr-xr-x 1 root root 35728 Gor 12 11:19 ping
$ getcap /tmp/y/ping
/tmp/y/ping = cap_net_raw+ep
The only reason I chose "-aAXv" is because that's what I use when I backup to external disk.
I suspect you can also get tar to do it - at least with some versions of tar - but I haven't tried that and suspect rsync is more straightforward. (In some cases, tar saves extended attributes to additional files - I assume with a view to restoring them. At least, some versions of tar behave this way.)
Last edited by cfr (2012-08-19 19:51:45)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
The only reason I chose "-aAXv" is because that's what I use when I backup to external disk.
Updated to use "-aAXv".
I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).
Offline
Pages: 1