Fix Ping Permissions in Debian
An upgrade on Debian unstable ("sid") a few days ago left me unable to ping.
When I tried, I got
ping: socket: Operation not permitted
with an additional reason of
missing cap_net_raw+p capability or setuid?
Ping worked fine as root, so it was a permission problem.
After some discussion on IRC with several helpful people in #debian-next, I learned two ways of enabling it (but read to the end before doing either of these, since there's a better way).
Change the sysctrl permission
To enable ping for a range of users:
sudo sysctl net.ipv4.ping_group_range='0 4294967295'
If you only want to enable it for your own user, you could give it
a range of '1001 1001' or whatever your user ID is.
You can make that permanent by adding a file in /etc/sysctl.d/99-allow-ping.conf. But don't do that, see below.
Set capabilities on the ping executable
I wasn't previously aware of setcap, but you can use it to set a capability on an executable file, so anyone running it gets that capability. First, check whether there are any caps there to begin with:
getcap /usr/bin/ping
Then set the capability:
setcap cap_net_raw+p usr/bin/ping
Setcap is an interesting utility. The man page doesn't have much detail,
in particular about what capabilities there and why you'd want to specify
them at the file level. man 7 capabilities
has a lot more
detail on each of the capabilities. Capabilities look like a nice way of
getting more granular permissions than you can get via the usual Unix
chmod and group mechanisms. I found more discussion in
Linux Capabilities: Setting and Modifying Permissions,
in this Stack Exchange
discussion,
and of course on the
Arch Wiki:
Capabilities
The Real Answer
It turns out the real answer is to install a relatively new package, linux-sysctl-defaults. It's a recommended package, but I have recommends and suggests disabled in /etc/apt/apt.conf (yes, yes, I know that makes me an terrible and obstinate person who deserves whatever happens to me).
Anyway, linux-sysctl-defaults installs a file, /usr/lib/sysctl.d/50-default.conf, that includes the ping line:
-net.ipv4.ping_group_range = 0 2147483647so it's basically the same as the first solution given above.
However, after installing it, you must reboot before
you'll be able to use ping. So install linux-sysctl-defaults,
but if you want to use ping right away and rebooting is inconvenient,
use the sudo sysct
command given above.
[ 12:37 Oct 21, 2024 More linux | permalink to this entry | ]