5

I have copied my /usr/bin/ping file to another location (my home directory) with just a typical cp /bin/ping p command and then it stopped working, because the lack of permissions. Precisely:

Ping: icmp open socket: Operation not permitted.

I know that sudo would rather solve my problem, but I should not log in as a superuser.
I also know that it is (probably) all about the lack of some permissions or capabilities (in fact getcap for my copied file shows it's missing the original ping's capabilities), but unfortunately I am not able to use setcap without root privileges .. or maybe I am? Somehow?

How could I solve this problem and be able to use my ping file copy ./p?

mtszkw
  • 223

2 Answers2

10
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping

The s in rws means ping is setuid. When you run it, it runs as its owner, root.

That's how it has the permission to ping. You can sudo setcap cap_net_raw=ep ./ping but ultimately ICMP is under "raw sockets" so this isn't a small number of operations. It would allow another application to spoof network traffic.

For this to be "secure" and ping, the file would have to be owned by root to stop the application being edited by other users.

Perhaps setcap will one day let you specify a hash signature for executable too.

Oli
  • 299,380
4

As noticed by Oli, ping is setuid --- run as root when called.

However, if you copy it with 

cp -a /usr/bin/ping ./myping

the target will lose the setuid bit --- you copy the file, but you can only create files with your own user's permissions, and your regular user can't create a setuid-root binary. It will be a huge security hole otherwise (now you can modify your copy of ping)!

If you want to maintain the setuid bit, you must copy with sudo cp -a. No way around this, I hope.

Community
  • 1
Rmano
  • 32,167