When listing the directory /usr/bin
, one sees that ping
is shown as yellow-on-red:
The file has no special features:
$ file /usr/bin/ping
/usr/bin/ping: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for
GNU/Linux 2.6.32, BuildID[sha1]=2508ea2a85b70c68967b3e6345541430f5317d5f,
stripped
$ stat /usr/bin/ping
File: '/usr/bin/ping'
Size: 62096 Blocks: 136 IO Block: 4096 regular file
Device: 802h/2050d Inode: 4457229 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:ping_exec_t:s0
Access: 2016-11-01 10:02:57.332925719 +0100
Modify: 2016-06-22 14:01:14.000000000 +0200
Change: 2016-07-10 23:41:59.623796126 +0200
Birth: -
According to What do the different colors mean in the terminal?, where we can find a script to list color interpretations, "yellow-on-red" means "ca":
What does "ca" mean? Maybe it means that this file is hardlinked from elsewhere (/usr/bin/ping
and /usr/ping
are the same file)
P.S. The question occurred while watching Explaining Dirty COW, where the ping
command on Ubuntu is show as setuid root, which sounds weird:
Best Answer
This indicates that
ping
has extra capabilities:or even (on Fedora up to 30):
This allows
ping
to open a raw socket (and send and receive ICMP packets) without running asroot
.setcap(8)
andcapabilities(7)
give more details.Historically,
ping
was installed setuid so that it would run asroot
and be able to use raw sockets; once capabilities became usable, many distributions switched to using those instead, since the finer-grained control they offer over permissions seems preferable. In Ubuntu though, there are issues apparently with the installer, soping
is still installed setuidroot
(the capabilities code is disabled in the relevant maintainer script, which comes from Debian whereping
is configured using capabilities if possible).The
ping
manpage describes its requirements thus:Kernels 2.6.39 and later provide another mechanism to allow programs to send and receive ICMP echo messages:
net.ipv4.ping_group_range
. This is used in Fedora 31 and later to allowping
to work without extra capabilities (notably, inside rootless containers); see How does ping work on Fedora without setuid and capabilities? for details.