Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How is ping for non-root user implemented on Linux distros?

I was browsing through the code for ping form iputils package for Linux.

I noticed that ping uses raw sockets SOCK_RAW, which any userspace application requires root privilege to use.

How do the developers of Linux distros manage to provide the ping command for non-root users ?

like image 477
Rishav Ambasta Avatar asked May 29 '16 16:05

Rishav Ambasta


People also ask

Does ping require root?

ping needs to generate and receive ICMP packets, and usually that's done using "raw sockets" – a feature limited to root (cap_net_raw) because it could also be abused to sniff and disrupt other traffic on the system.

How do I run as non-root user?

sudo (superuser do) allows you to configure non-root users to run root level commands without being root.

What can a non-root user do?

Depending on the tasks that the installer completes, a non-root user can create a profile, start WebSphere Application Server, or do both. An installer can create a profile and assign ownership of the profile directory to a non-root user so that the non-root user can start the product for a specific profile.


1 Answers

On modern distros, ping uses an extended file attribute to grant CAP_NET_RAW to unprivileged users.

Example here on my Debian testing:

jbm@sumo:~$ ls -l /bin/ping
-rwxr-xr-x 1 root root 57048 Mar  1 15:49 /bin/ping
jbm@sumo:~$ filecap /bin/ping
file                 capabilities
/bin/ping     net_raw

...which is better than SUID, security wise: only one capability here, instead of the full root set (37 capabilities as of my 4.5 kernel).

EDIT: a couple of things.

First: instead of filecap, you might want to use getcap.

The latter comes with the "regular" lipcap and its CLI tools, that you are pretty sure to have on your system whatever the distro. As opposed to the former, which comes with libcap-ng.

Second: regarding Ubuntu.

Indeed, now that I'm at the office, with a couple of Ubuntu LTS VM (14.04 and 16.04) guests on my Debian testing host, I can see that Canonical does uses the SUID bit rather than an extended file attribute. They appear to rely on AppArmor MAC, and I'd say we have a good example here of why this might not be the best idea as a first measure: the administrative paperwork load to get it right is high.

As a result, though Canonical do have some AppArmor setup for say tcpdump, they do not for ping (which is instead SUID = full root power for free), nor for example for dumpcap (the process running the packets capture for wireshark), which will imply sudo, which again is full root power (yet at least with a password). Hopefully upstream developers do things right: capability dropping is available at the source code level both for the iputils like ping or for dumpcap, so it's up to the integrator (distro package maintainers).

like image 107
jbm Avatar answered Sep 18 '22 12:09

jbm