ping: socket: Operation not permitted
This document (000020581) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
Situation
node1: # su test test@node1:/> ping -c1 8.8.8.8 ping: socket: Operation not permitted test@node1:/>
Resolution
'ping: socket: Operation not permitted' error is thrown when neither of the parameters is set.
If net.ipv4.ping_group_range kernel parameter is only set, then all root and non-root users are allowed to use ping command:
node1:~ # sysctl net.ipv4.ping_group_range net.ipv4.ping_group_range = 0 2147483647 node1:~ # node1:~ # getcap /usr/bin/ping node1:~ # node1:~ # ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.65 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.651/3.651/3.651/0.000 ms node1:~ # node1:~ # su test test@node1:/> ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms test@node1:/>
If neither of the parameters is set, then only root user could use ping command:
node1:~ # sysctl net.ipv4.ping_group_range="1 0" net.ipv4.ping_group_range = 1 0 node1:~ # node1:~ # getcap /usr/bin/ping node1:~ # node1:~ # ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.50 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.509/3.509/3.509/0.000 ms node1:~ # node1:~ # su test test@node1:/> ping -c1 8.8.8.8 ping: socket: Operation not permitted test@node1:/>
If net.ipv4.ping_group_range kernel parameter is not set, then ping command could be allowed by enabling the capabilities for non-root users as below:
node1:~ # setcap cap_net_raw+eip /usr/bin/ping node1:~ # getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+eip node1:~ # node1:~ # su test test@node1:/> ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms test@node1:/>The above capability allows more fine grained privileges to be given to non-root users rather than the full power of root.
More information about file capabilities could be found following the below link:
https://documentation.suse.com/sles/12-SP5/single-html/SLES-security/
https://documentation.suse.com/sles/15-SP2/single-html/SLES-security/
* In order to use
getcap
and setcap
commands, libcap-progs
package must be installed by issuing 'zypper install libcap-progs
'
Cause
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020581
- Creation Date: 18-Feb-2022
- Modified Date:18-Feb-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com