You are not logged in.

#1 2012-08-01 14:28:19

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

[SOLVED] Ping requires root

Hi, I have just performed an update of one of my systems (actually a rebuild rather than a simple update) so everythig should be fresh. I now can't ping unless I am root:

ping www.google.com
ping: icmp open socket: Operation not permitted

Has anythig changed that I have missed? I've looked through the news feed and searched the forums but found nothing.

Thanks...

Last edited by starfry (2012-08-01 20:39:57)

Offline

#2 2012-08-01 14:35:32

Barrucadu
Member
From: York, England
Registered: 2008-03-30
Posts: 1,158
Website

Re: [SOLVED] Ping requires root

What are the permissions on /usr/bin/ping? It should be suid.

Offline

#3 2012-08-01 15:01:47

stephane
Forum Fellow
Registered: 2009-10-18
Posts: 25

Re: [SOLVED] Ping requires root

Works for me.

Permissions on /usr/bin/ping{,6} should be 755. It is not suid as we use capabilities. The following command should give you the same result

# getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep

Capabilities are set in the iputils.install that comes with the iputils PKGUILD.

Offline

#4 2012-08-01 15:27:40

DSpider
Member
From: Romania
Registered: 2009-08-23
Posts: 2,273

Re: [SOLVED] Ping requires root

Find out which package it belongs to.

$ pacman -Qo ping
/usr/bin/ping is owned by iputils 20101006-4

Reinstall it.

# pacman -S iputils

Reboot.


"How to Succeed with Linux"

I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).

Offline

#5 2012-08-01 15:46:45

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

Re: [SOLVED] Ping requires root

Thanks. I reinstalled and now it works. I didn't need to reboot. Prior to reinstall package was

$ pacman -Qo ping
/usr/bin/ping is owned by iputils 20101006-4

$ sudo pacman -S iputils
warning: iputils-20101006-4 is up to date -- reinstalling

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep

So, I've hit on something that I've never encountered before: this capabilities stuff. I will need to go off and read about it.

The way I've always made my system is to automatically build an image with mkarchroot, drop it into place and boot it. Without knowing anything about capabilities would building an image in this way somehow lose that information? This is the first time I've seen this problem, has something changed in the packages that would have made this happen?

Sorry for all the questions, but this is something I have never come across before. (and, thanks for the help!).

*edit*

Just checked on an older system: its 'ping' is /bin/ping and is suid. It is from 'iputils 20101006-2'. The system to which I refer in my post was built on 31/7 and has 'iputils 20101006-4': its 'ping' is /usr/bin/ping and it has a symlink from /bin/ping to that. I can see from the changelog that use of cap_net_raw=ep instead of suid root was introduced at 20101006-3 on June 18th.

*edit again*

Been doing some reading and I suspect that 'tar' does not propagate extended attributes. When I build a system it ends up as a .tar.bz2 that is extraced onto a target system. I suspect this is causing these extended attributes (capabilities) to get lost. I don't know - it's a guess based on googling. Would someone more knowledgable be able to confirm or refute this ?

Last edited by starfry (2012-08-01 16:31:53)

Offline

#6 2012-08-01 18:24:43

DSpider
Member
From: Romania
Registered: 2009-08-23
Posts: 2,273

Re: [SOLVED] Ping requires root

Use this next time:

https://wiki.archlinux.org/index.php/Fu … with_rsync

... it rsyncs in archive mode, ensuring that symbolic links, devices, permissions and ownerships, among other file attributes are preserved


"How to Succeed with Linux"

I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).

Offline

#7 2012-08-01 20:47:25

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

Re: [SOLVED] Ping requires root

That (using rsync) would assume source and destination are on the same network, which they aren't. Sometimes, these images are installed of a CD in a remote location. Also the build and install may be done at different points in time. But thanks for the suggestion.

Offline

#8 2012-08-01 21:27:25

alphaniner
Member
From: Ancapistan
Registered: 2010-07-12
Posts: 2,810

Re: [SOLVED] Ping requires root

I did a cursory test with rsync (just used -a flag) and the capabilities were not preserved in the destination.  It seems (again, cursory) that if a file is copied its capabitlities are lost, but if moved its capabilities are preserved.

Amusingly, even on this relatively obscure topic the Arch wiki is second only to kernel.org in a search for 'linux file capabilities'.


But whether the Constitution really be one thing, or another, this much is certain - that it has either authorized such a government as we have had, or has been powerless to prevent it. In either case, it is unfit to exist.
-Lysander Spooner

Offline

#9 2012-08-02 21:23:27

pepedopolous
Member
Registered: 2012-02-12
Posts: 86

Re: [SOLVED] Ping requires root

Hi, sorry to hijack but I can't ping if not using sudo or root.

I have reinstalled iputils and rebooted as recommended here.

Whenever I try setcap or getcap I get command not found errors.

I'm using btrfs and systemd if that might have anything to do with it?

Many thanks,

P

Offline

#10 2012-08-03 02:55:09

fschiff
Member
Registered: 2011-10-06
Posts: 71

Re: [SOLVED] Ping requires root

command not found error means that the command is not in your path.
Check value of $PATH variable (echo $PATH)
and run command which ping.

Offline

#11 2012-08-03 09:27:18

pepedopolous
Member
Registered: 2012-02-12
Posts: 86

Re: [SOLVED] Ping requires root

Thanks. I can ping now!

P

Offline

#12 2012-08-19 19:49:18

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [SOLVED] Ping requires root

alphaniner wrote:

I did a cursory test with rsync (just used -a flag) and the capabilities were not preserved in the destination.  It seems (again, cursory) that if a file is copied its capabitlities are lost, but if moved its capabilities are preserved.

rsync can do it though:

$ mkdir /tmp/y
$ sudo /usr/bin/rsync -aAXv /usr/bin/ping /tmp/y/
$ \ls -l /tmp/y
total 36
-rwxr-xr-x 1 root root 35728 Gor  12 11:19 ping
$ getcap /tmp/y/ping 
/tmp/y/ping = cap_net_raw+ep

The only reason I chose "-aAXv" is because that's what I use when I backup to external disk.

I suspect you can also get tar to do it - at least with some versions of tar - but I haven't tried that and suspect rsync is more straightforward. (In some cases, tar saves extended attributes to additional files - I assume with a view to restoring them. At least, some versions of tar behave this way.)

Last edited by cfr (2012-08-19 19:51:45)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#13 2012-08-20 04:15:49

DSpider
Member
From: Romania
Registered: 2009-08-23
Posts: 2,273

Re: [SOLVED] Ping requires root

cfr wrote:

The only reason I chose "-aAXv" is because that's what I use when I backup to external disk.

Updated to use "-aAXv".


"How to Succeed with Linux"

I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).

Offline

Board footer

Powered by FluxBB