ping not working in a chroot
Solution 1
Under Linux, ping
needs to run as root (because it needs to bind a raw IP socket; ordinary users can only do UDP and TCP). It's designed to be setuid root. It looks like your copy in the chroot isn't setuid root. Fix the permissions:
chown root:root /bin/ping; chmod u+srwx,go=rx /bin/ping
Note that there may be other commands in the chroot that need to be setuid (or setgid), in particular su
and sudo
.
Note that this answers assumes a chroot, not something with more restrictions like a jail.
Solution 2
As have been pointed out, ping
needs the permission to bind a raw IP socket. Traditionally setuid
has been used to allow normal users to use it. However, using capabilities (POSIX 1003.1e, capabilities(7)), a minimal set of capabilities can be selectively enabled, limiting the security consequences of potential vulnerabilities.
ping
needs the capability CAP_NET_RAW
. Suppose that the path to the binary is /usr/bin/ping
, the capability can be set using the tool setcap
:
setcap cap_net_raw+ep /usr/bin/ping
Use getcap
to check the result:
getcap /usr/bin/ping
The output should be something like
/usr/bin/ping = cap_net_raw+ep
and ping
should work now.
kamal
Updated on September 18, 2022Comments
-
kamal almost 2 years
How can I use the ping command in a chroot environment?
$ ping 8.8.8.8 ping: icmp open socket: Operation not permitted
Currently I am using CentOs, but ideally there must be a solution that works in all chrooted environments.
-
Gilles 'SO- stop being evil' about 13 yearsWhat happens when you try?
-
-
umeboshi over 7 yearsThis should be the accepted answer. Thank you for helping me!
-
geerlingguy over 6 yearsOr as an octal,
chmod 4755 /bin/ping
. -
user_dev almost 4 yearsthis does not work in a chroot environment as the user will not have the root permission.