Fix Ping Permissions in Debian (Shallow Thoughts)

Akkana's Musings on Open Source Computing and Technology, Science, and Nature.

Mon, 21 Oct 2024

Fix Ping Permissions in Debian

An upgrade on Debian unstable ("sid") a few days ago left me unable to ping. When I tried, I got ping: socket: Operation not permitted with an additional reason of missing cap_net_raw+p capability or setuid?

Ping worked fine as root, so it was a permission problem.

After some discussion on IRC with several helpful people in #debian-next, I learned two ways of enabling it (but read to the end before doing either of these, since there's a better way).

Change the sysctrl permission

To enable ping for a range of users: sudo sysctl net.ipv4.ping_group_range='0 4294967295' If you only want to enable it for your own user, you could give it a range of '1001 1001' or whatever your user ID is.

You can make that permanent by adding a file in /etc/sysctl.d/99-allow-ping.conf. But don't do that, see below.

Set capabilities on the ping executable

I wasn't previously aware of setcap, but you can use it to set a capability on an executable file, so anyone running it gets that capability. First, check whether there are any caps there to begin with:

getcap /usr/bin/ping

Then set the capability:

setcap cap_net_raw+p usr/bin/ping

Setcap is an interesting utility. The man page doesn't have much detail, in particular about what capabilities there and why you'd want to specify them at the file level. man 7 capabilities has a lot more detail on each of the capabilities. Capabilities look like a nice way of getting more granular permissions than you can get via the usual Unix chmod and group mechanisms. I found more discussion in Linux Capabilities: Setting and Modifying Permissions, in this Stack Exchange discussion, and of course on the Arch Wiki: Capabilities

The Real Answer

It turns out the real answer is to install a relatively new package, linux-sysctl-defaults. It's a recommended package, but I have recommends and suggests disabled in /etc/apt/apt.conf (yes, yes, I know that makes me an terrible and obstinate person who deserves whatever happens to me).

Anyway, linux-sysctl-defaults installs a file, /usr/lib/sysctl.d/50-default.conf, that includes the ping line:

-net.ipv4.ping_group_range = 0 2147483647
so it's basically the same as the first solution given above.

However, after installing it, you must reboot before you'll be able to use ping. So install linux-sysctl-defaults, but if you want to use ping right away and rebooting is inconvenient, use the sudo sysct command given above.

Tags: ,
[ 12:37 Oct 21, 2024    More linux | permalink to this entry | ]

Comments via Disqus:

blog comments powered by Disqus