ping: socket: Operation not permitted

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

The ping command returns 'Error: ping: socket: Operation not permitted' when executed by a non-root user.

node1: # su test
test@node1:/> ping -c1 8.8.8.8
ping: socket: Operation not permitted
test@node1:/>

In some cases, it might not return an error message, but it might not actually perform the ping, either:

node1: # su test
test@node1:/> ping -c1 8.8.8.8
node1: #

There are various methods to allow non-root users to execute ping.  On most SLES systems, one or more of these are already present after a standard install, so most systems do not run into this issue.  The following methods are all independent.  Choosing one of them should be enough.

1.  The parameter:  net.ipv4.ping_group_range

This parameter will allow non-root users to execute ping on SLES 15.  However, due to potential problems in the usage of this parameter, SUSE is recommending this ONLY for 15 SP3 and above.  Additionally, this will not solve the issue on SLES 12, even though the parameter exists there also.  On those previous distributions, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.

The ping_group_range can be set within /etc/sysctl.conf:

net.ipv4.ping_group_range="0 2147483647"

or temporarily set on the fly with the sysctl command, for example:

sysctl net.ipv4.ping_group_range="0 2147483647"

Users whose UIDs are covered by net.ipv4.ping_group_range are allowed to use the ping command:

node1:~ # sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0    2147483647
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/> 

2.  Alternatively, non-root users can use the ping command if certain capabilities are present on the /usr/bin/ping binary:

node1:~ # setcap cap_net_raw+p /usr/bin/ping
node1:~ # getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+p
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/>

The above capability method allows more fine grained privileges to be given to non-root users rather than the full power of root.  Testing and research confirm that "cap_net_raw+p" on /usr/bin/ping should be enough to allow non-root users to ping.  However, most SLES 12 and 15 installations have defaulted to "cap_net_raw+ep" so if any problems are seen with +p, it may be worth testing +ep as well.

More information about file capabilities could be found at these links:
https://documentation.suse.com/sles/12-SP5/single-html/SLES-security/
https://documentation.suse.com/sles/15-SP2/single-html/SLES-security/

* In order to use getcap and setcap commands, the libcap-progs package must be installed, which can be done with the command:

zypper install libcap-progs

3.  In some unique circumstances, the permissions mode of /usr/bin/ping may need to be increased to allow execution by non-root users.  This method is no longer preferred, as it carries more security risk.  In older distributions of Linux, such as SLES 11, ping was typically made accessible to non-root users by setting the "setuid" bit on /usr/bin/ping:

# chmod 4755 /usr/bin/ping
# ls -l /usr/bin/ping
-rwsr-xr-x 1 root root 72664 May  7 15:39 /usr/bin/ping

Note the "s" in the permissions displayed above.  This represents the "setuid" bit and allows non-root users to execute as the owner (root).

However, for security reasons, using the setuid bit is no longer a preferred method.  It is safer to use options #1 or #2 above.

Despite that warning, if SLES 12 is in use and /usr/bin/ping resides on an NFS mount (typically when the root file systems is an NFS mount) then neither method #1 nor #2 will allow non-root users to execute ping.  In that case, it is necessary to add the setuid bit as shown above.  Note that for SLES 15 SP3 (and above) with an NFS mount, method #1 above is sufficient and preferred.

Some administrative commands might remove the setuid bit from certain executables which are not intended to have it.  To make the setuid bit more permanent, edit /etc/permissions.local and add these 2 lines:

/usr/bin/ping       root:root         4755
/usr/bin/ping6      root:root         4755

After which, the following command will always insure that those permissions are present:

chkstat --system

 

Because of security concerns, traditional methods of allowing non-root users to execute ping (and to obtain sockets) have evolved over time.  Because of these changes, configuration may occasionally need to be verified.