Ping As Regular User Not Allowed (CentOS Stream 8)

Home » CentOS » Ping As Regular User Not Allowed (CentOS Stream 8)
CentOS 21 Comments

Following some update or the other (I think) on my CentOS Stream 8
system, I’m no longer able to use ping as a regular user; I get

$ ping www.CentOS.org ping: socket: Operation not permitted

Does anyone else see this? It it a bug, or were the system/default permissions deliberately changed? Can anyone suggest a fix/workaround?
Actually, I can find several different ones via a simple web search, but they are generally related to other distributions, I’m not quite sure which would be the most appropriate for CentOS

Thanks.

– Toralf

21 thoughts on - Ping As Regular User Not Allowed (CentOS Stream 8)

  • Folks interested in this issue can watch this bugzilla:
    https://bugzilla.redhat.com/show_bug.cgi?id 37807

    We’re waiting for systemd-239-55.el8 sources to show up after which we will build this and publish to CentOS Stream. Right now this appears to be an infrastructure issue and the appropriate folks are working on that, but we also want this package to pass the proper checks before we build.

    –Brian

  • Am 19.01.22 um 15:44 schrieb Brian Stinson:

    I also noticed this “change”.

    Is this a regression of the last systemd update?

  • Yes, systemd, this new operating system which still lacks a kernel ;-)

    But seriously, this should be a warning how dangerous even the smallest bug in systemd can be. In this case it’s absolutely harmless but it shows once more how domineering systemd became to be in the Linux ecosystem.

    A bit frightening for me.

    Regards, Simon

  • T24gMTkvMDEvMjAyMiAxNTozMiwgVG9yYWxmIEx1bmQgd3JvdGU6DQo+IEZvbGxvd2luZyBz b21lIHVwZGF0ZSBvciB0aGUgb3RoZXIgKEkgdGhpbmspIG9uIG15IENlbnRPUyBTdHJlYW0g OCANCj4gc3lzdGVtLCBJJ20gbm8gbG9uZ2VyIGFibGUgdG8gdXNlIHBpbmcgYXMgYSByZWd1
    bGFyIHVzZXI7IEkgZ2V0DQo+IA0KPiAkIHBpbmcgd3d3LmNlbnRvcy5vcmcNCj4gcGluZzog c29ja2V0OiBPcGVyYXRpb24gbm90IHBlcm1pdHRlZA0KPiANCj4gRG9lcyBhbnlvbmUgZWxz ZSBzZWUgdGhpcz8gSXQgaXQgYSBidWcsIG9yIHdlcmUgdGhlIHN5c3RlbS9kZWZhdWx0IA0K
    PiBwZXJtaXNzaW9ucyBkZWxpYmVyYXRlbHkgY2hhbmdlZD8gQ2FuIGFueW9uZSBzdWdnZXN0
    IGEgZml4L3dvcmthcm91bmQ/IA0KPiBBY3R1YWxseSwgSSBjYW4gZmluZCBzZXZlcmFsIGRp ZmZlcmVudCBvbmVzIHZpYSBhIHNpbXBsZSB3ZWIgc2VhcmNoLCBidXQgDQo+IHRoZXkgYXJl IGdlbmVyYWxseSByZWxhdGVkIHRvIG90aGVyIGRpc3RyaWJ1dGlvbnMsIEknbSBub3QgcXVp dGUgc3VyZSANCj4gd2hpY2ggd291bGQgYmUgdGhlIG1vc3QgYXBwcm9wcmlhdGUgZm9yIENl bnRPUy4uLg0KPiANCj4gVGhhbmtzLg0KPiANCj4gLSBUb3JhbGYNCj4gDQoNCiJzdWRvIGRu ZiBkb3duZ3JhZGUgaXB1dGlscyIgc2hvdWxkIGRvIGl0IGZvciBub3cNCg0KaXQgd29ya3Mg d2hlbiB5b3UncmUgYmFjayBvbiBpcHV0aWxzLTIwMTgwNjI5LTcuZWw4Lng4Nl82NA0KDQot LSANCkZhYmlhbiBBcnJvdGluDQpUaGUgQ2VudE9TIFByb2plY3QgfCBodHRwczovL3d3dy5j ZW50b3Mub3JnDQpncGcga2V5OiAxN0YzQjdBMSB8IHR3aXR0ZXI6IEBhcnJmYWINCg=

  • And then add:
    excludepkgs=iputils-20180629-8.el8.x86_64
    in the [baseos] section of /etc/yum/repos.d/CentOS-Stream-BaseOS.repo

  • OK .. I am currently releasing an 8-stream compose with systemd-239-55.el8 .. but it does not fix this unpriv ping issue.

    I checked internally and it is also a problem on the rhel build for this systemd version, so not an issue introduced by the CentOS Stream build.

    This version of systemd should be available in a couple hours on mirror.CentOS.org.

    Thanks, Johnny Hughes

  • OK .. to fix this issue until we get a build that fixes it:

    Edit /usr/lib/sysctl.d/50-default.conf

    take out the minus sign (-) in this line:

    -net.ipv4.ping_group_range = 0 2147483647

    Thanks, Johnny Hughes

  • I don’t think that’s particularly justified.  A change was made to remove the capability from the file and instead set a kernel parameter that allows users to ping based on their GID, in order to allow ping to work from rootless containers.  Systemd’s only involvement here is that it loads sysctls when the system boots, and those sysctl files are bundled in its RPM.

    https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange

  • $ rpm -q –queryformat ‘[%{FILENAMES} %{FILECAPS}\n]’ iputils | grep
    /usr/bin/ping
    /usr/bin/ping = cap_net_admin,cap_net_raw+p

    I guess this is what was changed in the new version? (Didn’t check before downgrading, to lazy to switch back to do it.)

    What I don’t quite understand is why the updated iputils was released before the systemd/kernel changes others mention…

    – Toralf

  • Am 20.01.22 um 23:14 schrieb Johnny Hughes:

    Is this “minus” a typo? I guess …

    While yum update i get:

    Couldn’t write ‘0 2147483647’ to ‘-net/ipv4/ping_group_range’, ignoring:
    No such file or directory


    Leon

  • I do not know if it is a typo or not (maybe a functionality I don’t know about) .. but if I remove the dash and save the file, everything works as expected.

    It is the only option in that file with a dash.

  • So the two fixes are to not upgrade iputils and exclude it in your dnf config .. OR .. to take out he minus sign until the issue is fixed.

    Or live with suod/root only for ping

  • Both work for me. Thanks.

    Might also be OK for a short while. Irritation would probably build up over time ;-)

    – Toralf

  • Thanks for this info. I had a perplexing experience just now. ????


    —————————————
    “Do what you can, with what you’ve got,
    where you are.”
    — Theodore Roosevelt MzK