Permissions to Ping over an interface

Solution 1

Since ping needs to write raw packets, it needs root access. Normally ping would have the setuid bit set in order to accomplish this. If you check the permission of ping with, for example: stat -c %a $(which ping). Most systems would return 4775. The leading 4 is the setuid bit, which says that when running this program it runs under the uid of the user owning the file. If this is instead returning 755. You could add the setuid bit by running chmod u+s $(which ping)

Solution 2

On Linux, the preferred way is to give ping (or other such things) special capabilities. This avoids the pitfalls of executing with root permissions via a setuid bit (read below).

setcap cap_net_raw+ep /bin/ping

From the Archlinux Wiki:

Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for the ping binary provided by iputils. This enables e.g. ping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in ping.

Related videos on Youtube

00 : 50

Cisco ASA version 9 How to allow pinging on an interface with one command

Robert McMillen

11

01 : 12

firewall training for beginners - How to Ping from a different interface ?

Forti Tip

9

13 : 19

Ping VLAN interface network on Windows | Access VLAN Network

TECH TROUBLESHOOT

3

05 : 39

Deny ping (ICMP ECHO) using access list in one direction in GNS3

ANKIT TRIPATHI

1

01 : 56

DevOps & SysAdmins: Permissions to Ping over an interface (2 Solutions!!)

Roel Van de Paar

0

Author by

dw.emplod

Updated on September 18, 2022