ping: socket: Operation not permitted
This document (000020581) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
node1: # su test test@node1:/> ping -c1 18.104.22.168 ping: socket: Operation not permitted test@node1:/>In some cases, it might not return an error message, but it might not actually perform the ping, either:
node1: # su test test@node1:/> ping -c1 22.214.171.124 node1: #
1. The parameter: net.ipv4.ping_group_range
This parameter will allow non-root users to execute ping on SLES 15. However, due to potential problems in the usage of this parameter, SUSE is recommending this ONLY for 15 SP3 and above. Additionally, this will not solve the issue on SLES 12, even though the parameter exists there also. On those previous distributions, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.
The ping_group_range can be set within /etc/sysctl.conf:
net.ipv4.ping_group_range="0 2147483647"or temporarily set on the fly with the sysctl command, for example:
sysctl net.ipv4.ping_group_range="0 2147483647"
Users whose UIDs are covered by net.ipv4.ping_group_range are allowed to use the ping command:
node1:~ # sysctl net.ipv4.ping_group_range net.ipv4.ping_group_range = 0 2147483647 node1:~ # node1:~ # su test test@node1:/> ping -c1 126.96.36.199 PING 188.8.131.52 (184.108.40.206) 56(84) bytes of data. 64 bytes from 220.127.116.11: icmp_seq=1 ttl=117 time=3.62 ms --- 18.104.22.168 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms test@node1:/>
2. Alternatively, non-root users can use the ping command if certain capabilities are present on the /usr/bin/ping binary:
node1:~ # setcap cap_net_raw+p /usr/bin/ping node1:~ # getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+p node1:~ # node1:~ # su test test@node1:/> ping -c1 22.214.171.124 PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data. 64 bytes from 184.108.40.206: icmp_seq=1 ttl=117 time=3.62 ms --- 220.127.116.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms test@node1:/>The above capability method allows more fine grained privileges to be given to non-root users rather than the full power of root. Testing and research confirm that "cap_net_raw+p" on /usr/bin/ping should be enough to allow non-root users to ping. However, most SLES 12 and 15 installations have defaulted to "cap_net_raw+ep" so if any problems are seen with +p, it may be worth testing +ep as well.
More information about file capabilities could be found at these links:
* In order to use
libcap-progspackage must be installed, which can be done with the command:
zypper install libcap-progs
3. In some unique circumstances, the permissions mode of /usr/bin/ping may need to be increased to allow execution by non-root users. This method is no longer preferred, as it carries more security risk. In older distributions of Linux, such as SLES 11, ping was typically made accessible to non-root users by setting the "setuid" bit on /usr/bin/ping:
# chmod 4755 /usr/bin/ping # ls -l /usr/bin/ping -rwsr-xr-x 1 root root 72664 May 7 15:39 /usr/bin/pingNote the "s" in the permissions displayed above. This represents the "setuid" bit and allows non-root users to execute as the owner (root).
However, for security reasons, using the setuid bit is no longer a preferred method. It is safer to use options #1 or #2 above.
Despite that warning, if SLES 12 is in use and /usr/bin/ping resides on an NFS mount (typically when the root file systems is an NFS mount) then neither method #1 nor #2 will allow non-root users to execute ping. In that case, it is necessary to add the setuid bit as shown above. Note that for SLES 15 SP3 (and above) with an NFS mount, method #1 above is sufficient and preferred.
Some administrative commands might remove the setuid bit from certain executables which are not intended to have it. To make the setuid bit more permanent, edit /etc/permissions.local and add these 2 lines:
/usr/bin/ping root:root 4755 /usr/bin/ping6 root:root 4755After which, the following command will always insure that those permissions are present:
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020581
- Creation Date: 24-Oct-2022
- Modified Date:24-Oct-2022
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com