Synapse: how to use its PING feature without needing root rights (Linux)?

[Hartmut]

I want to use the PING feature of package Synapse, which resides in unit pingsend, e.g. in function PingHost http://synapse.ararat.cz/doc/help/pingsend.html#PingHost

Unfortunately then my program needs sudo to work (which makes it very uncomfortable for me and others). The beginning of unit pingsend.pas contains:

Code: Text  [Select][+][-]

1. This unit using IpHlpApi (on WinXP or higher) if available. Otherwise it trying to use RAW sockets.
2. Warning: For use of RAW sockets you must have some special rights on some systems.
3. So, it working allways when you have administator/root rights.

I use Ubuntu 24.04.

There are some other things, which normally require sudo for a program to use it, but which can be avoided by only adding the current user to a certain user group:
 - to use WebDAV without sudo, simple add the current user to the "davfs2" group or
 - to use serial devices (rs232), simple add the current user to the "dialout" group.

My question is: does a certain user group exist, where I only have to add the current user, so that sudo is not longer required for programs using the PING feature of Synapse?

Thanks in advance.

[cdbc]

Hi
IIRC you have to include your user in the "DialOut" group or something like that, to avoid having to have 'root'-privileges...
Regards Benny

[Hartmut]

Thanks cdbc. The current user was already in group "dialout":

Code: Text  [Select][+][-]

1. hg6@i3300:/media/D/Tst$ groups
2. hg6 adm dialout cdrom sudo dip plugdev lpadmin sambashare davfs2
3. hg6@i3300:/media/D/Tst$

but this doesn't help.
So if this way (adding the current user to the right group) is possible, then it must be another group.
Which group could it be?

[Thausand]

Raw socket not work that way for Linux. I not know group that have default no root access for raw socket.

If want ping no root then have use capability (setcap). Always you can make group that have raw socket capability but normal is have grant program raw socket capability. To make setcap must use root one time for setting capability.

PS: I just read, trixie make change again and not use raw-socket but now use proto capability. So look like depends distribution and version. I not have maked test with trixie (I no have trixie).

[rvk]

My question is: does a certain user group exist, where I only have to add the current user, so that sudo is not longer required for programs using the PING feature of Synapse?

Couldn't you do it like it's done for the ping command itself. There the /bin/ping is just set as setuid root.

chown root:root /path/yourapp; chmod u+srwx,go=rx /path/yourapp

Edit: I see indeed that this is changed again since Debian 13 "Trixie".
https://stackoverflow.com/a/79734658/1037511

5.1.15. Ping no longer runs with elevated privileges
https://www.debian.org/releases/trixie/release-notes/issues.en.html#ping-no-longer-runs-with-elevated-privileges

[rvk]

PS: I just read, trixie make change again and not use raw-socket but now use proto capability. So look like depends distribution and version. I not have maked test with trixie (I no have trixie).

Aren't SOCK_DGRAM and IPPROTO_ICMP already available on older versions? And isn't it just that Trixie is only implementing this now in ping versions?
In that case you could create your own ping function with SOCK_DGRAM and IPPROTO_ICMP without needing privileges.

https://stackoverflow.com/questions/8290046/icmp-sockets-linux

[Jurassic Pork]

Hello,
Raw socket access is required for tools like ping, traceroute etc to send ICMP packets on Linux.
Only root user can use Raw socket access.
If you want just use ping to see if a server is alive, try to use a tcp connection with an opened port on the server.
Friendly, J.P

[Thausand]

Aren't SOCK_DGRAM and IPPROTO_ICMP already available on older versions? And isn't it just that Trixie is only implementing this now in ping versions?

Yes, that true.

In that case you could create your own ping function with SOCK_DGRAM and IPPROTO_ICMP without needing privileges.

Yes, also true.

If make ping self then works and no have use privilege. But if want use ping then I understand (maybe I wrong?) need PROTO capability enable for ping.

PS: change with trixie new for me, I did not know and just read. I not read what all change are so I maybe wrong and not understand correct.

[rvk]

But if want use ping then I understand (maybe I wrong?) need PROTO capability enable for ping.

The default ping in Linux (before Trixie) uses RAW sockets. They always need priveliges.
If you do ls /bin/ping -ltr you see that it has a "s" in user permission (setuid). That means it runs as that user (in the case of ping it runs as root).
That's why you don't need to do sudo ping ip.

The new ping in Trixie uses SOCK_DGRAM and IPPROTO_ICMP.
The privileges of that is regulated by net.ipv4.ping_group_range.
But apparently this is already set very liberal in the new Debian version so unprivileged users already have permissions there.

I just checked in Bookworm and got this:

$ sudo sysctl -a | grep ping
net.ipv4.ping_group_range = 0   2147483647
net.ipv4.tcp_pingpong_thresh = 1

So my guess is that it's allowed there too for unprivileged users.

[Hartmut]

If want ping no root then have use capability (setcap). Always you can make group that have raw socket capability but normal is have grant program raw socket capability.

Thank you Thausand. I'm aware that I can set 'net_raw' capability to my program. But this has 2 disadvantages:
 - after each new compile (and that can be many times a day) I have to repeat that step and this step needs sudo
 - the users of my program must repeat this step after every program-update and this step needs sudo
Both makes this solution quiet uncomfortable.

But you wrote:

Always you can make group that have raw socket capability

Does that mean:
 - I create a new group and give it raw socket capability
 - then I add the current user to this group
 - after this, all programs which are started by the current user, do not need sudo any longer to use the PING feature of Synapse?
This would be a great solution!
Did you mean this?

I just read, trixie make change again and not use raw-socket but now use proto capability. So look like depends distribution and version. I not have maked test with trixie (I no have trixie).

With trixie you mean Debian 13 "Trixie"?

Couldn't you do it like it's done for the ping command itself. There the /bin/ping is just set as setuid root.
chown root:root /path/yourapp; chmod u+srwx,go=rx /path/yourapp

Thanks rvk too. I'm aware of this possibility. But this has 3 disadvantages:
 - after each new compile (and that can be many times a day) I have to repeat that 2 steps and this steps needs sudo
 - the users of my program must repeat this 2 steps after every program-update and this steps needs sudo
Both makes this solution quiet uncomfortable.
And AFAIK GUI-programs should not run with root privileges.

Aren't SOCK_DGRAM and IPPROTO_ICMP already available on older versions? And isn't it just that Trixie is only implementing this now in ping versions?
In that case you could create your own ping function with SOCK_DGRAM and IPPROTO_ICMP without needing privileges.

I'm a bloody beginner to all that network stuff. The above would be very far beyond my horizon. I would like to use Synapse for PING, because then I have to code everything only once and it works for Linux + Windows.

Raw socket access is required for tools like ping, traceroute etc to send ICMP packets on Linux.
Only root user can use Raw socket access.
If you want just use ping to see if a server is alive, try to use a tcp connection with an opened port on the server.

Thank you Jurassic Pork. To "use a tcp connection with an opened port on the server" would be very difficult for me as a bloody beginner to all that network stuff.
In this case it would be easier for me:
 - for Windows to use PING via Synapse
 - and for Linux to call /usr/bin/ping from my program. Therefore I had to use "sudo chmod u+s /usr/bin/ping" only once.

Conclusion:
The only left possible solution seems to be from Thausand to create a new group and give it raw socket capability and to add the current user to this group (as I described at the beginning of this post), If I understood him correctly. Did I?

Thanks again for all your help.

[rvk]

Aren't SOCK_DGRAM and IPPROTO_ICMP already available on older versions? And isn't it just that Trixie is only implementing this now in ping versions?
In that case you could create your own ping function with SOCK_DGRAM and IPPROTO_ICMP without needing privileges.

I'm a bloody beginner to all that network stuff. The above would be very far beyond my horizon. I would like to use Synapse for PING, because then I have to code everything only once and it works for Linux + Windows.

Of course we could help craft a function (using Synapse) to use. I would have to dive into this.

Thank you Jurassic Pork. To "use a tcp connection with an opened port on the server" would be very difficult for me as a bloody beginner to all that network stuff.
In this case it would be easier for me:
 - for Windows to use PING via Synapse
 - and for Linux to call /usr/bin/ping from my program. Therefore I had to use "sudo chmod u+s /usr/bin/ping" only once.

If you use the ping command as external program then you would never need to do sudo /bin/ping because on all Linux versions, ping already has setuid root set for /bin/ping. That's normally already set so unprivileged users can use the ping command.

[Jurassic Pork]

Thank you Jurassic Pork. To "use a tcp connection with an opened port on the server" would be very difficult for me as a bloody beginner to all that network stuff.
In this case it would be easier for me:

it isn't very difficult with synapse.
Exemple to check if the freepascal server is alive ( test the port 443 (https) ) :

Code: Pascal  [Select][+][-]

1. program checktcpConnection;
2. {$mode objfpc}{$H+}
3. uses sysutils, laz_synapse, blcksock, synsock;
4.  
5. function IsServerAlive(const Hostname: string; Port: Integer; TimeoutMS: Integer = 3000): Boolean;
6. var
7.   Sock: TTCPBlockSocket;
8. begin
9.   Result := False;
10.   Sock := TTCPBlockSocket.Create;
11.   try
12.     Sock.ConnectionTimeout := TimeoutMS;
13.     Sock.Connect(Hostname, IntToStr(Port));
14.     Result := Sock.LastError = 0;
15.   finally
16.     Sock.Free;
17.   end;
18. end;
19.  
20. begin
21.     if IsServerAlive('lazarus.freepascal.org', 443) then  // 443 https
22.        WriteLn('Server is alive!')
23.     else
24.        WriteLn('Server is unreachable.');
25.    end;
26. end.    

[rvk]

Exemple to check if the freepascal server is alive ( test the port 443 (https) ) :

Assuming you just want to test for a server (with an open port) and not just for the presence of a computer 

[Jurassic Pork]

Exemple to check if the freepascal server is alive ( test the port 443 (https) ) :

Assuming you just want to test for a server (with an open port) and not just for the presence of a computer 

Hello Rvk
yes !    what kind of target hartmut want to check ?

[rvk]

BTW. I see that the ping in Debian Bookworm already works with SOCK_DGRAM and IPPROTO_ICMP.
The s (setuid) is still set on the ping binary but it's not needed anymore.
(copying the ping and stripping the capabilities works just fine)

So... setuid or set capabilities isn't needed for ping binary anymore (RAW isn't used here).

$ strace -e socket ping 1.1.1.1
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = 3
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = 4
socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=8.80 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=10.1 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=8.86 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 8.804/9.245/10.075/0.587 ms
strace: Process 683431 detached