ping not working in a chroot

linux security chroot
7,012

Solution 1

Under Linux, ping needs to run as root (because it needs to bind a raw IP socket; ordinary users can only do UDP and TCP). It's designed to be setuid root. It looks like your copy in the chroot isn't setuid root. Fix the permissions:

chown root:root /bin/ping; chmod u+srwx,go=rx /bin/ping

Note that there may be other commands in the chroot that need to be setuid (or setgid), in particular su and sudo.

Note that this answers assumes a chroot, not something with more restrictions like a jail.

Solution 2

As have been pointed out, ping needs the permission to bind a raw IP socket. Traditionally setuid has been used to allow normal users to use it. However, using capabilities (POSIX 1003.1e, capabilities(7)), a minimal set of capabilities can be selectively enabled, limiting the security consequences of potential vulnerabilities.

ping needs the capability CAP_NET_RAW. Suppose that the path to the binary is /usr/bin/ping, the capability can be set using the tool setcap:

setcap cap_net_raw+ep /usr/bin/ping

Use getcap to check the result:

getcap /usr/bin/ping

The output should be something like

/usr/bin/ping = cap_net_raw+ep

and ping should work now.

Share:
7,012
kamal
Author by

kamal

Updated on September 18, 2022

Comments

  • kamal
    kamal almost 2 years

    How can I use the ping command in a chroot environment?

    $ ping 8.8.8.8
ping: icmp open socket: Operation not permitted

    Currently I am using CentOs, but ideally there must be a solution that works in all chrooted environments.

    • Gilles 'SO- stop being evil'
      Gilles 'SO- stop being evil' about 13 years
      What happens when you try?
  • umeboshi
    umeboshi over 7 years
    This should be the accepted answer. Thank you for helping me!
  • geerlingguy
    geerlingguy over 6 years
    Or as an octal, chmod 4755 /bin/ping.
  • user_dev
    user_dev almost 4 years
    this does not work in a chroot environment as the user will not have the root permission.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why running named(bind) in chroot is so important for security? Or maybe it is not?
Why chroot is considered insecure?
Am i hacked? unknown processes dsfref, gfhddsfew, dsfref etc are starting automatically in centos 6.5
Packet socket in promiscuous mode only receiving local traffic
Using directory traversal attack to execute commands
java.lang.SecurityException: Permission Denial: starting Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER]
What is securityfs?
BCRYPT - Why doesn't the Linux Distributions use it by default?
Taking a picture with a laptop webcam after entering an incorrect password
How do I write a test for system login?