As far as I know, ping
needs to create a raw socket (which needs either root access or cap_net_raw
capabilities).
From my understanding the trend these last years has been to remove setuid binaries and replaced them with capabilities.
However when I look at the ping
binary on my Fedora 32, it doesn't look to have any:
$ ls -la $(which ping)
-rwxr-xr-x. 1 root root 82960 May 18 10:26 /usr/bin/ping
$ sudo getcap -v $(which ping)
/usr/bin/ping
$
Does ping need to open raw socket on fedora? Or is there another way to give it the permission to open a raw socket?
Best Answer
I think https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange answers your question:
Cross-reference detail
The sysctl documentation writes,
An older code example demonstrates the use of this feature, and in particular shows that a socket is created with the
IPPROTO_ICMP
flag to identify that it will be used for raw ICMP