Synapse: how to use its PING feature without needing root rights (Linux)?

[Hartmut]

May I ask again:
What are the advantages of using your code compared with the very simple code of Jurassic Pork in reply #11? In which cases would your code give better results (beside that your's can resolve a hostname to it's ip-address)?

Well, code in #11 uses TCP/port combination. So you need to know which port the server has open (http, https, ftp, VoIP etc). But... not all services listen to the TCP protocol. You also have UDP protocol. A VoIP server for instance is normally listening on UDP (sometimes both UDP and TCP). The code in #11 doesn't check for UDP ports.

ICMP PING (Echo Request) is just another method of checking for presence on the network. But... not all servers or computers have to respond to ICMP PING requests. Servers on the internet normally do (because it's a usual way of checking if the server is up). But for example lots of consumer routers (for example your own router) could have ICMP reply set to off (usually this is an option to set on or off in the router). So ICMP is not guaranteed but it is very common under open servers on the internet.

Thanks for clarification. Again I learned something :-)

If I start your code with setting net.ipv4.ping_group_range = '1 0' then I always get 'ms' = -2 ms (also with sudo).
If I start your code with setting net.ipv4.ping_group_range = '0 2147483647' then I always get a 'ms' near 17 ms (with and without sudo).

1 to 0 seems like nobody can use SOCK_DGRAM, IPPROTO_ICMP. Not even root.
I wonder if that's the default setting in that distro?

I'm 100% sure that I never touched this setting before, because I was faced with this setting now the very 1st time.

[rvk]

If I start your code with setting net.ipv4.ping_group_range = '1 0' then I always get 'ms' = -2 ms (also with sudo).
If I start your code with setting net.ipv4.ping_group_range = '0 2147483647' then I always get a 'ms' near 17 ms (with and without sudo).

1 to 0 seems like nobody can use SOCK_DGRAM, IPPROTO_ICMP. Not even root. 0 to 0 or 0 to 1 would include root (0). But 1 to 0 is nothing.

I wonder if that's the default setting in that distro?
It seems 1 to 0 is indeed default on some systems.
Meaning not even root can do ping trough SOCK_DGRAM, IPPROTO_ICMP.

Can you check what ping does if it is set to 1 to 0?
Did it revert back to RAW sockets?

You can check with
strace -e socket ping google.com

[Hartmut]

Can you check what ping does if it is set to 1 to 0?
Did it revert back to RAW sockets?
You can check with
strace -e socket ping google.com

Code: Text  [Select][+][-]

1. hg6@a2100:~$ sysctl net.ipv4.ping_group_range
2. net.ipv4.ping_group_range = 1   0
3. hg6@a2100:~$
4.  
5. hg6@a2100:~$ strace -e socket ping google.com
6. socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Keine Berechtigung)
7. socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Vorgang nicht zulässig)
8. socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Keine Berechtigung)
9. socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Vorgang nicht zulässig)
10. ping: socktype: SOCK_RAW
11. ping: socket: Vorgang nicht zulässig
12. ping: => missing cap_net_raw+p capability or setuid?
13. +++ exited with 2 +++
14. hg6@a2100:~$

"Keine Berechtigung" means "No permission".
"Vorgang nicht zulässig" means "transaction not allowed".

Then I set range to '0 2147483647' and then it worked:

Code: Text  [Select][+][-]

1. hg6@a2100:~$ sudo sysctl net.ipv4.ping_group_range='0 2147483647'
2. net.ipv4.ping_group_range = 0 2147483647
3.  
4. hg6@a2100:~$ strace -e socket ping google.com
5. socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
6. socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
7. socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
8. socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5
9. socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 5
10. socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 5
11. socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 5
12. socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_IP) = 5
13. socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
14. PING google.com (2a00:1450:4001:828::200e) 56 data bytes
15. socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 5
16. 64 bytes from fra24s05-in-x0e.1e100.net (2a00:1450:4001:828::200e): icmp_seq=1 ttl=119 time=13.6 ms
17. 64 bytes from fra24s05-in-x0e.1e100.net (2a00:1450:4001:828::200e): icmp_seq=2 ttl=119 time=13.0 ms
18. 64 bytes from fra24s05-in-x0e.1e100.net (2a00:1450:4001:828::200e): icmp_seq=3 ttl=119 time=13.3 ms
19. ...
20. ^Cstrace: Process 6628 detached
21.  
22. --- google.com ping statistics ---
23. 8 packets transmitted, 8 received, 0% packet loss, time 7005ms
24. rtt min/avg/max/mdev = 12.808/13.095/13.642/0.279 ms
25. hg6@a2100:~$

Must now stop for today.

[rvk]

"Keine Berechtigung" means "No permission".
"Vorgang nicht zulässig" means "transaction not allowed".

Then I set range to '0 2147483647' and then it worked:

I assume running ping doesn't work at all as user?

That confirms that ping first tries SOCK_DGRAM+IPPROTO_ICMP.
If that doesn't work, because 0 (root group) is excluded from net.ipv4.ping_group_range (because 1 to 0 doesn't include 0), then it tries SOCK_RAW.

But you tried this as user which fails because user does not have RAW socket access.

Running this as root probably should have worked (with SOCK_RAW).

[MarkMLl]

I must admit that I wasn't aware of the net.ipv4.ping_group_range facility, hence was possibly excessively critical of the idea of using an appropriate group earlier in the thread for which I apologise.

In the general case though, I don't know how many of the POSIX capabilities can also be controlled by groups in this manner: a quick reading of earlier messages suggests that even in the case of the network it's by no means complete, so having a basic understanding of the POSIX capabilities is useful.

On a more positive note, while setting up a group and including it in the net.ipv4.ping_group_range list needs appropriate permission (i.e. in practice the user has to be root, or has to have an appropriately blessed script):

* setting the group of a freshly-compiled binary and setting its setgid flag is unprivileged,

* moving a binary or copying it with  cp -p  preserves its group and setgid state.

So /if/ it's a capability which can be mimicked by group membership, and /if/ the system owner is prepared to risk compromising robustness, then this is something which is within the scope of an unmodified (and unprivileged) development environment.

MarkMLl

[rvk]

From our AI friend:

The default value for net.ipv4.ping_group_range is typically 1 0, which means no groups are allowed to create ICMP echo sockets, effectively preventing unprivileged users from pinging. Some distributions and newer kernel versions, like Fedora, have started enabling this setting by default to a broad range (e.g., 0 2147483647) to allow unprivileged users to use ping in scenarios like rootless containers. To change it, you can add the sysctl setting to a file in /etc/sysctl.d/ and then run sudo sysctl --system.

So I guess it's just a matter of time before 0 2147483647 is standard.

[MarkMLl]

So I guess it's just a matter of time before 0 2147483647 is standard.

Taking quips like "Well /you/ might have an AI friend but I prefer the cuddly kind..." as read, I think the problem here is that even if that range is not the distro's standard there's a real risk that installation of e.g. a network monitoring package injects a file into /etc/sysctl.d which potentially weakens system robustness for everybody: note that the parameters are a range, and that there's no provision for selecting individual groups or for having multiple ranges.

There's a problem here. Programs such as a network monitor (Nagios or similar) are encouraged to run as their own user rather than root, which encourages the use of special-purpose groups... no, I'm sorry but I think POSIX capabilities applied to individual binaries are preferable, even if applying the blessing requires root privilege and even if tinkering with the binary obliterates the extra capabilities.

MarkMLl

[rvk]

There's a problem here. Programs such as a network monitor (Nagios or similar) are encouraged to run as their own user rather than root, which encourages the use of special-purpose groups... no, I'm sorry but I think POSIX capabilities applied to individual binaries are preferable, even if applying the blessing requires root privilege and even if tinkering with the binary obliterates the extra capabilities.

So what's the harm for a distro to preset the net.ipv4.ping_group_range to a wide range like 0 2147483647? It only effects ICMP. And it can only be set and changed by root.

Setting it to 1 0 might be more dangerous as installers need (or want) to change it and can only do that as root. So it might be better to just directly set it correctly in the distro. Or am I wrong?

And sure, there might always be distros which are more restricted and might have blocked this. Running ping as user isn't allowed then (which seems the default now). That's the reason you could build in more methods for detecting a servers presence.

[MarkMLl]

So what's the harm for a distro to preset the net.ipv4.ping_group_range to a wide range like 0 2147483647? It only effects ICMP. And it can only be set and changed by root.

What precise facilities are checked and blocked by the kernel? If arbitrary programs were allowed to do this, could somebody find a way of e.g. spoofing error reports which normally come over ICMP?

Even if it's only "ICMP Echo"?, could it be used for a DoS of DDoS? The prohibition on arbitrary programs doing this must have been put in for some reason, and by and large history shows that unix's approach to this sort of thing has been fairly good in system stability terms.

MarkMLl

[Hartmut]

"Keine Berechtigung" means "No permission".
"Vorgang nicht zulässig" means "transaction not allowed".

Then I set range to '0 2147483647' and then it worked:

I assume running ping doesn't work at all as user?

No. As you can see in reply #42, ping works without problems as unprivileged user, even if net.ipv4.ping_group_range is set to '1 0'. The reason is, that ping in Kubuntu 24.04 has 'cap_net_raw' capability set:

Code: Text  [Select][+][-]

1. hg6@i3300:~$ which ping
2. /usr/bin/ping
3. hg6@i3300:~$ getcap /usr/bin/ping
4. /usr/bin/ping cap_net_raw=ep
5. hg6@i3300:~$

[rvk]

I assume running ping doesn't work at all as user?

No. As you can see in reply #42, ping works without problems as unprivileged user, even if net.ipv4.ping_group_range is set to '1 0'. The reason is, that ping in Kubuntu 24.04 has 'cap_net_raw' capability set:

Code: Text  [Select][+][-]

1. hg6@i3300:~$ which ping
2. /usr/bin/ping
3. hg6@i3300:~$ getcap /usr/bin/ping
4. /usr/bin/ping cap_net_raw=ep
5. hg6@i3300:~$

Then why did your strace ping command in #47 +++ exited with 2 +++ ??

Code: Text  [Select][+][-]

1. hg6@a2100:~$ sysctl net.ipv4.ping_group_range
2. net.ipv4.ping_group_range = 1   0
3. hg6@a2100:~$
4.  
5. hg6@a2100:~$ strace -e socket ping google.com
6. socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Keine Berechtigung)
7. socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Vorgang nicht zulässig)
8. socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Keine Berechtigung)
9. socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Vorgang nicht zulässig)
10. ping: socktype: SOCK_RAW
11. ping: socket: Vorgang nicht zulässig
12. ping: => missing cap_net_raw+p capability or setuid?
13. +++ exited with 2 +++
14. hg6@a2100:~$

"Keine Berechtigung" means "No permission".
"Vorgang nicht zulässig" means "transaction not allowed".

[Hartmut]

Then why did your strace ping command in #47 +++ exited with 2 +++ ??

I have absolute no idea, sorry. I repeated both and got the same results as before: ping without strace works, ping with strace works not. I don't know strace, I used it now for the very 1st time. Seems that it calls ping in a way, that it's 'cap_net_raw' capability does not work...?

[rvk]

Then why did your strace ping command in #47 +++ exited with 2 +++ ??

I have absolute no idea, sorry. I repeated both and got the same results as before: ping without strace works, ping with strace works not. I don't know strace, I used it now for the very 1st time. Seems that it calls ping in a way, that it's 'cap_net_raw' capability does not work...?

Ok, yes, that might be a possibility.

Also see https://superuser.com/questions/1219283/is-it-possible-to-strace-pinging-a-host
Same goes for the setguid (which ping used before the cap_net_raw and sudo still uses).
https://superuser.com/questions/1059198/why-strace-sudo-command-bombs-when-sudo-command-works

So, in the past ping first used the setuid root method.
Later on, it switched to capability (with cap_net_raw).
After that, it switched to SOCK_DGRAM + IPPROTO_ICMP and net.ipv4.ping_group_range

[MarkMLl]

Then why did your strace ping command in #47 +++ exited with 2 +++ ??

I have absolute no idea, sorry. I repeated both and got the same results as before: ping without strace works, ping with strace works not. I don't know strace, I used it now for the very 1st time. Seems that it calls ping in a way, that it's 'cap_net_raw' capability does not work...?

Capabilities are revoked if running under a debugger.

When debugging this sort of thing I've generally had to run the program as root under gdbserver, then connect to that from the IDE... I can't remember whether the IDE's facility to connect to an already-running program also works.

MarkMLl