Ping As Regular User Not Allowed (CentOS Stream 8)
Following some update or the other (I think) on my CentOS Stream 8
system, I’m no longer able to use ping as a regular user; I get
$ ping www.CentOS.org ping: socket: Operation not permitted
Does anyone else see this? It it a bug, or were the system/default permissions deliberately changed? Can anyone suggest a fix/workaround?
Actually, I can find several different ones via a simple web search, but they are generally related to other distributions, I’m not quite sure which would be the most appropriate for CentOS…
Thanks.
– Toralf
21 thoughts on - Ping As Regular User Not Allowed (CentOS Stream 8)
Folks interested in this issue can watch this bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id 37807
We’re waiting for systemd-239-55.el8 sources to show up after which we will build this and publish to CentOS Stream. Right now this appears to be an infrastructure issue and the appropriate folks are working on that, but we also want this package to pass the proper checks before we build.
–Brian
Am 19.01.22 um 15:44 schrieb Brian Stinson:
I also noticed this “change”.
Is this a regression of the last systemd update?
Yes, systemd, this new operating system which still lacks a kernel ;-)
But seriously, this should be a warning how dangerous even the smallest bug in systemd can be. In this case it’s absolutely harmless but it shows once more how domineering systemd became to be in the Linux ecosystem.
A bit frightening for me.
Regards, Simon
T24gMTkvMDEvMjAyMiAxNTozMiwgVG9yYWxmIEx1bmQgd3JvdGU6DQo+IEZvbGxvd2luZyBz b21lIHVwZGF0ZSBvciB0aGUgb3RoZXIgKEkgdGhpbmspIG9uIG15IENlbnRPUyBTdHJlYW0g OCANCj4gc3lzdGVtLCBJJ20gbm8gbG9uZ2VyIGFibGUgdG8gdXNlIHBpbmcgYXMgYSByZWd1
bGFyIHVzZXI7IEkgZ2V0DQo+IA0KPiAkIHBpbmcgd3d3LmNlbnRvcy5vcmcNCj4gcGluZzog c29ja2V0OiBPcGVyYXRpb24gbm90IHBlcm1pdHRlZA0KPiANCj4gRG9lcyBhbnlvbmUgZWxz ZSBzZWUgdGhpcz8gSXQgaXQgYSBidWcsIG9yIHdlcmUgdGhlIHN5c3RlbS9kZWZhdWx0IA0K
PiBwZXJtaXNzaW9ucyBkZWxpYmVyYXRlbHkgY2hhbmdlZD8gQ2FuIGFueW9uZSBzdWdnZXN0
IGEgZml4L3dvcmthcm91bmQ/IA0KPiBBY3R1YWxseSwgSSBjYW4gZmluZCBzZXZlcmFsIGRp ZmZlcmVudCBvbmVzIHZpYSBhIHNpbXBsZSB3ZWIgc2VhcmNoLCBidXQgDQo+IHRoZXkgYXJl IGdlbmVyYWxseSByZWxhdGVkIHRvIG90aGVyIGRpc3RyaWJ1dGlvbnMsIEknbSBub3QgcXVp dGUgc3VyZSANCj4gd2hpY2ggd291bGQgYmUgdGhlIG1vc3QgYXBwcm9wcmlhdGUgZm9yIENl bnRPUy4uLg0KPiANCj4gVGhhbmtzLg0KPiANCj4gLSBUb3JhbGYNCj4gDQoNCiJzdWRvIGRu ZiBkb3duZ3JhZGUgaXB1dGlscyIgc2hvdWxkIGRvIGl0IGZvciBub3cNCg0KaXQgd29ya3Mg d2hlbiB5b3UncmUgYmFjayBvbiBpcHV0aWxzLTIwMTgwNjI5LTcuZWw4Lng4Nl82NA0KDQot LSANCkZhYmlhbiBBcnJvdGluDQpUaGUgQ2VudE9TIFByb2plY3QgfCBodHRwczovL3d3dy5j ZW50b3Mub3JnDQpncGcga2V5OiAxN0YzQjdBMSB8IHR3aXR0ZXI6IEBhcnJmYWINCg=
And then add:
excludepkgs=iputils-20180629-8.el8.x86_64
in the [baseos] section of /etc/yum/repos.d/CentOS-Stream-BaseOS.repo
I am doing a compose with this version of systemd in it right now. Should be released later today.
OK .. I am currently releasing an 8-stream compose with systemd-239-55.el8 .. but it does not fix this unpriv ping issue.
I checked internally and it is also a problem on the rhel build for this systemd version, so not an issue introduced by the CentOS Stream build.
This version of systemd should be available in a couple hours on mirror.CentOS.org.
Thanks, Johnny Hughes
Am 20.01.22 um 22:07 schrieb Johnny Hughes:
The change was intentional. So, this will stay …?
https://git.CentOS.org/rpms/iputils/c/efa64b5e05ccb2c1332304ad493acc874b61e13a?branch=c8s
—
Leon
If this is intentional, what is the reasoning behind it? This seems a bit heavy handed no?
The change to iputils should be read in context with this change to systemd: https://github.com/redhat-plumbers/systemd-rhel8/pull/246/files
To me this reads like the intent is to remove the capabilities on the ping binary, while using another mechanism to allow non-root users to still use the ping utility.
–Brian
OK .. to fix this issue until we get a build that fixes it:
Edit /usr/lib/sysctl.d/50-default.conf
take out the minus sign (-) in this line:
-net.ipv4.ping_group_range = 0 2147483647
Thanks, Johnny Hughes
I don’t think that’s particularly justified. A change was made to remove the capability from the file and instead set a kernel parameter that allows users to ping based on their GID, in order to allow ping to work from rootless containers. Systemd’s only involvement here is that it loads sysctls when the system boots, and those sysctl files are bundled in its RPM.
https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
$ rpm -q –queryformat ‘[%{FILENAMES} %{FILECAPS}\n]’ iputils | grep
/usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
I guess this is what was changed in the new version? (Didn’t check before downgrading, to lazy to switch back to do it.)
What I don’t quite understand is why the updated iputils was released before the systemd/kernel changes others mention…
– Toralf
Am 20.01.22 um 23:14 schrieb Johnny Hughes:
Is this “minus” a typo? I guess …
While yum update i get:
Couldn’t write ‘0 2147483647’ to ‘-net/ipv4/ping_group_range’, ignoring:
No such file or directory
—
Leon
I do not know if it is a typo or not (maybe a functionality I don’t know about) .. but if I remove the dash and save the file, everything works as expected.
It is the only option in that file with a dash.
OK .. the minus sign is intentional .. but the functionality to mkae it work is not yet in the packages. See this bug for details:
https://bugzilla.redhat.com/show_bug.cgi?id=2037807
So the two fixes are to not upgrade iputils and exclude it in your dnf config .. OR .. to take out he minus sign until the issue is fixed.
Or live with suod/root only for ping
I should obviously proof read :)
Am 21.01.22 um 15:23 schrieb Johnny Hughes:
Yes, I was also on the same way this morning to find find the same out. Some backports are need for systemd support this “-” prefix.
https://github.com/systemd/systemd/pull/13191/commits/dec02d6e1993d420a0a94c7fec294605df55e88e
—
Leon
Both work for me. Thanks.
Might also be OK for a short while. Irritation would probably build up over time ;-)
– Toralf
Thanks for this info. I had a perplexing experience just now. ????
—
—————————————
“Do what you can, with what you’ve got,
where you are.”
— Theodore Roosevelt MzK