“/usr/bin/ping” is shown as yellow-on-red in the default Fedora bash color scheme — what does it mean

colorslsping

When listing the directory /usr/bin, one sees that ping is shown as yellow-on-red:

ping shown yellow-on-red

The file has no special features:

$ file /usr/bin/ping
/usr/bin/ping: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for
GNU/Linux 2.6.32, BuildID[sha1]=2508ea2a85b70c68967b3e6345541430f5317d5f,
stripped

$ stat /usr/bin/ping
   File: '/usr/bin/ping'
   Size: 62096           Blocks: 136        IO Block: 4096   regular file
Device: 802h/2050d      Inode: 4457229     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:ping_exec_t:s0
Access: 2016-11-01 10:02:57.332925719 +0100
Modify: 2016-06-22 14:01:14.000000000 +0200
Change: 2016-07-10 23:41:59.623796126 +0200
Birth: -

According to What do the different colors mean in the terminal?, where we can find a script to list color interpretations, "yellow-on-red" means "ca":

Colors seen in Fedora default bash coloring scheme

What does "ca" mean? Maybe it means that this file is hardlinked from elsewhere (/usr/bin/ping and /usr/ping are the same file)

P.S. The question occurred while watching Explaining Dirty COW, where the ping command on Ubuntu is show as setuid root, which sounds weird:

setuid root ping

Best Answer

This indicates that ping has extra capabilities:

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep

or even (on Fedora up to 30):

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+ep

This allows ping to open a raw socket (and send and receive ICMP packets) without running as root. setcap(8) and capabilities(7) give more details.

Historically, ping was installed setuid so that it would run as root and be able to use raw sockets; once capabilities became usable, many distributions switched to using those instead, since the finer-grained control they offer over permissions seems preferable. In Ubuntu though, there are issues apparently with the installer, so ping is still installed setuid root (the capabilities code is disabled in the relevant maintainer script, which comes from Debian where ping is configured using capabilities if possible).

The ping manpage describes its requirements thus:

ping requires CAP_NET_RAW capability to be executed 1) if the program is used for non-echo queries (See -N option), or 2) if kernel does not support non-raw ICMP sockets, or 3) if the user is not allowed to create an ICMP echo socket. The program may be used as set-uid root.

Kernels 2.6.39 and later provide another mechanism to allow programs to send and receive ICMP echo messages: net.ipv4.ping_group_range. This is used in Fedora 31 and later to allow ping to work without extra capabilities (notably, inside rootless containers); see How does ping work on Fedora without setuid and capabilities? for details.

Related Question