Search code examples
linuxfile-permissionsaclpinglinux-capabilities

Linux: Why am I able to use ping if neither SETUID nor Capabilities are set?


I thought that I'd grasped the basics of file permissions and capabilities. But now - what's that?

1. verify that there's no SETUID bit set:

$ ll /bin/ping
-rwxr-xr-x 1 root root 72776 Jan 31 00:11 /bin/ping*

2. verify that there're no capabilities set:

$ getcap /bin/ping
/bin/ping =

3. use ping

$ /bin/ping google.com
PING google.com(qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e)) 56 data bytes
64 bytes from qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e): icmp_seq=2 ttl=120 time=418 ms
64 bytes from qro01s18-in-x0e.1e100.net (2607:f8b0:4012:80a::200e): icmp_seq=3 ttl=120 time=102 ms

4. verify that an raw socket is opened:

$ strace -e socket ping google.com
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 5
socket(AF_NETLINK, **SOCK_RAW**|SOCK_CLOEXEC, NETLINK_ROUTE) = 5

>> So why the heck is /bin/ping allowed or capable of opening a SOCK_RAW without SETUID nor cap_net_raw? NOTE: I'm of course not root trying that! I'm using Linux Mint Ulyana.


Solution

  • Creating (normal) ICMP packets does not require special permissions anymore. You can use

    socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
    socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
    

    sockets (from your logs in 4).

    The SOCK_RAW marked by you in

    socket(AF_NETLINK, **SOCK_RAW**|SOCK_CLOEXEC, NETLINK_ROUTE) = 5
    

    is a NETLINK socket and used to check whether IPv6 can be used (call "ping" with "-4" or "-6" to see the difference). These kind of sockets does not require special permissions either.