Ubuntu – Why doesn’t Ubuntu use capabilities on ping

capabilitiespingsetuidUbuntu

After running,

$ ls -l /bin/ping
-rwsr-xr-x 1 root root 34740 Nov  5  2012 /bin/ping

I wonder, why doesn't Ubuntu use capabilities (i.e. raw sockets) rather than setuid?

Best Answer

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported. However, they might have already fixed it according to https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/534341

Related Solutions

Why doesn’t “ping -l” works when ping works

ping AddressIp -l 1400 
ping: cannot set preload to value > 3

You need superuser rights to access this feature of ping with a value more than 3.

Try:

sudo ping AddressIp -l 1400

UPDATE:

Do you want a "size" option for your ping packets? I guess, in Windows option -l means "size of the packet", but in Linux there is another option for that.

Try -s option:

sudo ping  AddressIp  -s 1000 -l 1400

DE BENE ESSE

In Linux ping is going until you stop it, so you don't need the Windows -t option.

Capabilities – Use Capsh to Run Unprivileged Ping with Minimal Capabilities

Capabilities are properties of processes. Traditionally there are three sets:

Permitted capabilities (p): capabilities that may be "activated" in the current process.
Effective capabilities (e): capabilities that are currently usable in the current process.
Inheritable capabilities (i): file capabilities that may be inherited.

Programs run as root always have full permitted and effective capabilities, so "adding" more capabilities has no noticeable effect. (The inheritable capabilities set is normally empty.) With setcap cap_net_raw+ep ping you enable these capabilities by default for any user running this program.

Unfortunately these capabilities are bound to the executed file and are not retained after executing a new child process. Linux 4.3 introduced Ambient capabilities which allows capabilities to be inherited by child processes. (See also Transformation of capabilities during execve() in capabilities(7).)

While playing with capabilities, note these pitfalls:

When changing the user from root to non-root, the effective and permitted capabilities are cleared (see Effect of user ID changes on capabilities in capabilities(7)). You can use the --keep=1 option of capsh to avoid clearing the sets.
The ambient capabilities set is cleared when changing the user or group IDs. Solution: add the ambient capabilities after changing the user ID, but before executing a child process.
A capability can only be added to the ambient capabilities set if it is already in both the permitted and inheritable capabilities set.

Since libcap 2.26, the capsh program gained the ability to modify ambient capabilities via options such as --addamb (commit). Note that the options order is significant. Example usage:

sudo capsh --caps="cap_net_raw+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
    --keep=1 --user=nobody --addamb=cap_net_raw -- \
    -c "./ping -c1 127.0.0.1"

Tip: you can add the --print option anywhere in the capsh command line and see its current capabilities state.

Note: cap_setpcap is needed for --addamb while cap_setuid,cap_setgid are needed for the --user option.

Best Answer

Related Solutions

Why doesn’t “ping -l” works when ping works

Capabilities – Use Capsh to Run Unprivileged Ping with Minimal Capabilities

Related Question