How is ping for non-root user implemented on Linux distros?

Question

I was browsing through the code for ping form iputils package for Linux.

I noticed that ping uses raw sockets SOCK_RAW, which any userspace application requires root privilege to use.

How do the developers of Linux distros manage to provide the ping command for non-root users ?

Answer 1

On modern distros, ping uses an extended file attribute to grant CAP_NET_RAW to unprivileged users.

Example here on my Debian testing:

jbm@sumo:~$ ls -l /bin/ping
-rwxr-xr-x 1 root root 57048 Mar  1 15:49 /bin/ping
jbm@sumo:~$ filecap /bin/ping
file                 capabilities
/bin/ping     net_raw

...which is better than SUID, security wise: only one capability here, instead of the full root set (37 capabilities as of my 4.5 kernel).

EDIT: a couple of things.

First: instead of filecap, you might want to use getcap.

The latter comes with the "regular" lipcap and its CLI tools, that you are pretty sure to have on your system whatever the distro. As opposed to the former, which comes with libcap-ng.

Second: regarding Ubuntu.

Indeed, now that I'm at the office, with a couple of Ubuntu LTS VM (14.04 and 16.04) guests on my Debian testing host, I can see that Canonical does uses the SUID bit rather than an extended file attribute. They appear to rely on AppArmor MAC, and I'd say we have a good example here of why this might not be the best idea as a first measure: the administrative paperwork load to get it right is high.

As a result, though Canonical do have some AppArmor setup for say tcpdump, they do not for ping (which is instead SUID = full root power for free), nor for example for dumpcap (the process running the packets capture for wireshark), which will imply sudo, which again is full root power (yet at least with a password). Hopefully upstream developers do things right: capability dropping is available at the source code level both for the iputils like ping or for dumpcap, so it's up to the integrator (distro package maintainers).