I'm trying to figure out how arping works, so I run it with strace and I get:
socket(PF_PACKET, SOCK_DGRAM, 0) = -1 EPERM (Operation not permitted)
If I run it without strace it works and arp packet gets sent. How is this possible? how does it manage to do something that my user isn't privileged to do? It doesn't have setuid bit set as well:
ls -lrtah `which arping`
-rwxr-xr-x 1 root root 19K Mai 7 2014 /usr/bin/arping
More interestingly, if I just copy executable to home and run I get same error:
~/tmp$ sudo cp /usr/bin/arping .
~/tmp$ ./arping -I enp2s0f0 192.168.2.1
arping: socket: Operation not permitted
while running original one works:
~/tmp$ arping -I enp2s0f0 192.168.2.1
ARPING 192.168.2.1 from 1.2.3.4 enp2s0f0
arping requires CAP_NET_RAW privilege (aka capability) in order to be able to send the low-level packets it uses. (Other Unix versions [or older linux versions] may have the program installed as SetUID-to-root instead.) Observe:
$ getcap /usr/bin/arping
/usr/bin/arping = cap_net_raw+ep
Allowing privileged executables to be straced (or traced/debugged at all via ptrace(2)) is a potential security issue so when an executable is being traced, the kernel strips any capabilities or Set-UID during its execution unless the tracing process is already privileged. In other words, you can get around this with sudo strace arping ... (if you are so authorized).