ping: socket: Operation not permitted

node1: # su test
test@node1:/> ping -c1 8.8.8.8
ping: socket: Operation not permitted
test@node1:/>

node1: # su test
test@node1:/> ping -c1 8.8.8.8
node1: #

There are various methods to allow non-root users to execute ping.  On most SLES systems, one or more of these are already present after a standard install, so most systems do not run into this issue.  The following methods are all independent.  Choosing one of them should be enough.

1.  The parameter and value:  net.ipv4.ping_group_range="0 2147483647"

For SLES 15:

This parameter can allow non-root users to execute ping on SLES 15.  However, due to potential problems in the usage of this parameter, SUSE is recommending this ONLY for 15 SP3 and above.  On previous SPx, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.

For SLES 12 SP5:

The ability to set this parameter has existed in SLES 12 SP5 for a while, but will not have the desired effect for non-root pinging unless a recent iputils update is installed.  iputils-s20161105-11.3.1 (or newer) is needed.  On previous SPx, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.

The ping_group_range can be set within /etc/sysctl.conf:

net.ipv4.ping_group_range="0 2147483647"

or temporarily set on the fly with the sysctl command, for example:

sysctl net.ipv4.ping_group_range="0 2147483647"

Users whose UIDs are covered by net.ipv4.ping_group_range are allowed to use the ping command:

node1:~ # sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0    2147483647
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/> 

2.  Alternatively, non-root users can use the ping command if certain "capabilities" are present on the /usr/bin/ping binary.  However, not every configuration supports "capabilities."  For example, capabilities are not supported when the ping binary is located on an NFS mount, or when ping is being executed from within certain kinds of containers, such as a Singularity container.  In those kinds of situations, option #2 is not helpful.

node1:~ # setcap cap_net_raw+p /usr/bin/ping
node1:~ # getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+p
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/>

The above capability method allows more fine grained privileges to be given to non-root users rather than the full power of root.  Testing and research confirm that "cap_net_raw+p" on /usr/bin/ping should be enough to allow non-root users to ping.  However, most SLES 12 and 15 installations have defaulted to "cap_net_raw+ep" so if any problems are seen with +p, it may be worth testing +ep as well.

More information about file capabilities could be found at these links:
https://documentation.suse.com/sles/12-SP5/single-html/SLES-security/
https://documentation.suse.com/sles/15-SP2/single-html/SLES-security/

* In order to use getcap and setcap commands, the libcap-progs package must be installed, which can be done with the command:

zypper install libcap-progs

3.  In some unique circumstances, the permissions mode of /usr/bin/ping may need to be increased to allow execution by non-root users.  This method is no longer preferred, as it carries more security risk.  In older distributions of Linux, such as SLES 11, ping was typically made accessible to non-root users by setting the "setuid" bit on /usr/bin/ping:

# chmod 4755 /usr/bin/ping
# ls -l /usr/bin/ping
-rwsr-xr-x 1 root root 72664 May  7 15:39 /usr/bin/ping

Note the "s" in the permissions displayed above.  This represents the "setuid" bit and allows non-root users to execute as the owner (root).

However, for security reasons, using the setuid bit is no longer a preferred method.  It is safer to use options #1 or #2 above.

Despite that warning, if SLES 12 SP4 or lower is in use and /usr/bin/ping resides on an NFS mount (typically when the root file systems is an NFS mount) then neither method #1 nor #2 will allow non-root users to execute ping.  In that case, it is necessary to add the setuid bit as shown above.  Note that for SLES 15 SP3 (and above) and SLES 12 SP5 with updated iputils, with an NFS mount, method #1 above is sufficient and preferred.

Some administrative commands might remove the setuid bit from certain executables which are not intended to have it.  To make the setuid bit more permanent, edit /etc/permissions.local and add these 2 lines:

/usr/bin/ping       root:root         4755
/usr/bin/ping6      root:root         4755

After which, the following command will always insure that those permissions are present:

chkstat --system