ping: socket: Operation not permitted

This document (000020581) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15

Situation

ping command throws 'Error: ping: socket: Operation not permitted' error on SLES 15 when used as non-root user. 
node1: # su test
test@node1:/> ping -c1 8.8.8.8
ping: socket: Operation not permitted
test@node1:/>

Resolution

There are two components to be considered, file capabilities (cap_net_raw+eip)  and net.ipv4.ping_group_range kernel parameter.
'ping: socket: Operation not permitted' error is thrown when neither of the parameters is set.

If net.ipv4.ping_group_range kernel parameter is only set, then all root and non-root users are allowed to use ping command: 
node1:~ # sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0    2147483647
node1:~ #

node1:~ #  getcap /usr/bin/ping
node1:~ #

node1:~ # ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.65 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.651/3.651/3.651/0.000 ms
node1:~ #

node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/> 

If  neither of the parameters is set, then only root user could use ping command: 
node1:~ #  sysctl net.ipv4.ping_group_range="1 0"
net.ipv4.ping_group_range = 1 0
node1:~ # 

node1:~ # getcap /usr/bin/ping
node1:~ #

node1:~ # ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.50 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.509/3.509/3.509/0.000 ms
node1:~ #

node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
ping: socket: Operation not permitted
test@node1:/>

If net.ipv4.ping_group_range kernel parameter is not set, then ping command could be allowed by enabling the capabilities for non-root users as below: 
node1:~ # setcap cap_net_raw+eip /usr/bin/ping
node1:~ # getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+eip
node1:~ #

node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/>
The above capability allows more fine grained privileges to be given to non-root users rather than the full power of root.

More information about file capabilities could be found following the below link:
https://documentation.suse.com/sles/12-SP5/single-html/SLES-security/
https://documentation.suse.com/sles/15-SP2/single-html/SLES-security/

* In order to use getcap and setcap commands, libcap-progs package must be installed by issuing 'zypper install libcap-progs'

Cause

'Error: ping: socket: Operation not permitted' is thrown when ping command is used by non-root users.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020581
  • Creation Date: 18-Feb-2022
  • Modified Date:18-Feb-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center
Report a Software Vulnerability Submit Tips, Tricks, and Tools Download Free Tools