Project

General

Profile

Bug #2910

[OpenRC] ping does not work when run as unprivileged user

bandali - 3 months ago - . Updated about 2 months ago.

Status:
fixed
Priority:
bug
Assignee:
% Done:

0%


Description

When running ping as a non-root user on OpenRC, it simply errors out:

ping: socket: Operation not permitted

However, ping works fine when run as root (e.g. using sudo ping).

On a systemd setup, ping works just fine when run as both root and non-root.

History

#1

Updated by bill-auger 3 months ago

  • Status changed from unconfirmed to confirmed
#2

Updated by infinite_recursion 3 months ago

Same here.

#3

Updated by bill-auger 3 months ago

  • Assignee set to Megver83
#4

Updated by reg 2 months ago

Same here, my workaround is to add the setuid flag to the ping binary:
$ sudo chmod u+s /usr/bin/ping

#5

Updated by oaken-source about 2 months ago

giving setuid to /usr/bin/ping is a bit outdated, usually, you'd give it the cap_net_raw capability instead (see `man 7 capabilities`)

illustrated by the following on a systemd system:

$ getcap /usr/bin/ping
/usr/bin/ping cap_net_raw=ep

this capability is simply missing on openrc systems.

#6

Updated by oaken-source about 2 months ago

this is the related upstream issue:
https://bugs.archlinux.org/task/63710

apparently, there was a change to systemd that makes the cap_net_raw capability no longer necessary on systemd. on openrc, of course, it still is very much necessary.

this means we need a nonsystemd/openrc build, or add a news item in the form of 'manual action required on update'

#7

Updated by oaken-source about 2 months ago

for completeness: the command to restore the capability on an openrc system is:

setcap cap_net_raw=ep /usr/bin/ping
#8

Updated by oaken-source about 2 months ago

after gathering more info on this, (thanks, elibrokeit) it seems that arch has stopped solving the permission issues inherent to pings use of raw sockets with capabilities, and instead uses a file in /usr/lib/sysctl.d for this, which is provided by systemd.

our openrc provides this file as well (50-default.conf) but seems to be out of sync with the version installed by systemd. In particular, to get ping running correctly, the following line is needed:

-net.ipv4.ping_group_range = 0 2147483647

I would suggest we review the sysctl.d files installed by openrc and bring them up to date.

#9

Updated by oaken-source about 2 months ago

  • Assignee changed from Megver83 to oaken-source
  • Status changed from confirmed to in progress

should be fixed with openrc-0.42.1-7

#10

Updated by oaken-source about 2 months ago

  • Status changed from in progress to fixed

Also available in: Atom PDF