python non-privileged ICMP

python ping icmp
27,875

Solution 1

The ping program is installed setuid root. This allows any user to use the program, and still be able to open a raw socket.

After it opens the raw socket, it typically drops root privs.

You generally need a raw socket to do ICMP correctly, and raw sockets are usually restricted. So it's not really python's fault at all.

Regarding the bit about ICMP above, apparently many implementations don't really support those combinations of flags well. So it is likely that most implmentations just use the way they "know" works on most / all architectures.

Solution 2

Here's how /sbin/ping "somehow manages" (on most Unix-y systems):

$ ls -l /sbin/ping
-r-sr-xr-x  1 root  wheel  68448 Jan 26 10:00 /sbin/ping

See? It's owned by root and has that crucial s bit in the permission -- setuserid. So, no matter what user is running it, ping runs as root.

If you're using a BSD Kernel with the new "non-privileged ICMP sockets" it would be interesting to see what's needed to use that functionality to ping from Python (but that won't help any user that's on a less advanced kernel, of course).

Solution 3

I'm not sure if it is OK to post something in a question that seems it has already been answered a while ago.

I have been searching for the same implementation and found a way to do ICMP via Python with non-root privileges.

python-ping uses the same 'need-root' way to do a ping, but came across a bug report where a user suggested changing SOCK_RAW to SOCK_DGRAM when calling sock :

http://hg.io/delroth/python-ping/issue/1/icmp-without-root-privilege

The dev explains this will be a "WONT-FIX" situation because it is a UDP ping rather.

Since I really do not care if ICMP is going out via UDP, I went ahead and got the code and made the proposed changed.

I am now able to do a ping without calling subprocess or needing root!

Again, not sure if posting here after such a long time is OK, but thought this was a better thing!

Solution 4

Modern Linuxes ping uses libcap and asks libcap to do the work.This checks (capget/set funcitons) and manage permissions:

linux@jacax:~/WORK$ ldd /bin/ping  
    linux-gate.so.1 =>  (0xb77b6000)  
    libcap.so.2 => /lib/i386-linux-gnu/libcap.so.2 (0xb7796000)  
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75e7000)  
    /lib/ld-linux.so.2 (0xb77b7000)

Lets say you have a "myping" program:

linux@jacax:~/WORK$ getcap ./myping    
linux@jacax:~/WORK$   (-> nothing! )  
linux@jacax:~/WORK$ setcap cap_net_raw=ep ./myping  
unable to set CAP_SETFCAP effective capability: Operation not permitted  
linux@jacax:~/WORK$ sudo setcap cap_net_raw=ep ./myping

Now do: 

linux@jacax:~/WORK$ getcap ./myping  
./ping = cap_net_raw+ep

Now, your "myping" will work without root. That is, as long as myping is in fact a binary program. If it is a script, this capability has to be set on the script interpreter instead.

Solution 5

icmplib module helped me with ping without running whole django app as root: https://pypi.org/project/icmplib/

Share:
27,875
Markus
Author by

Markus

...

Updated on October 28, 2021

Comments

  • Markus
    Markus over 2 years

    While trying to figure out the best method to ping (ICMP) something from python, I came across these questions:

    The answers generally boil down to "use this third party module with root privileges" or "use the system's ping command and parse the output". Of the native methods, icmplib and M. Cowles and J. Diemer's ping.py explicitly mention the need for root privileges, as does the scapy manual.

    So from that front, natively sending ICMP pings without special privileges seems impossible. The system ping command does manage somehow, but its man page doesn't shed any light on how. The man page for icmp, on the other hand, seems to say it's possible: 

    Non-privileged ICMP
     ICMP sockets can be opened with the SOCK_DGRAM socket type without
     requiring root privileges. The synopsis is the following:

     socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP)

     Datagram oriented ICMP sockets offer a subset of the functionality avail-
     able to raw ICMP sockets. Only IMCP request messages of the following
     types can be sent: ICMP_ECHO, ICMP_TSTAMP or ICMP_MASKREQ.

    So it would seem that, at least according to icmp, it's allowed. So why is it that all the python tools are unable to do this? Are the python tools too general and expect any work on privileged sockets to be privileged? Would it be possible to write a ping function in C that can ping without root privileges, and extend python with this? Has anyone done this? Have I just misunderstood the problem?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Troubleshooting "TypeError: ord() expected string of length 1, but int found"
Pinging servers in Python
What data is included in ICMP (ping) request?
How to ping a server/website with windows python?
How can I perform a ping or traceroute in python, accessing the output as it is produced?
How to ping using C sockets
Use ping through SOCKS server?
How is an ICMP packet constructed in python
Ping exit code and python
Linux Virtual machine can't ping Google, while Host can do it