SUSE Support

Here When You Need Us

ping: socket: Operation not permitted

This document (000020581) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

The ping command returns 'Error: ping: socket: Operation not permitted' when executed by a non-root user.
node1: # su test
test@node1:/> ping -c1 8.8.8.8
ping: socket: Operation not permitted
test@node1:/>
In some cases, it might not return an error message, but it might not actually perform the ping, either:
node1: # su test
test@node1:/> ping -c1 8.8.8.8
node1: #

Resolution

There are various methods to allow non-root users to execute ping.  On most SLES systems, one or more of these are already present after a standard install, so most systems do not run into this issue.  The following methods are all independent.  Choosing one of them should be enough.

1.  The parameter and value:  net.ipv4.ping_group_range="0 2147483647"

For SLES 15:

This parameter can allow non-root users to execute ping on SLES 15.  However, due to potential problems in the usage of this parameter, SUSE is recommending this ONLY for 15 SP3 and above.  On previous SPx, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.

For SLES 12 SP5:

The ability to set this parameter has existed in SLES 12 SP5 for a while, but will not have the desired effect for non-root pinging unless a recent iputils update is installed.  iputils-s20161105-11.3.1 (or newer) is needed.  On previous SPx, leave this setting at the default of "1 0" and see option #2 or #3 instead, below.

The ping_group_range can be set within /etc/sysctl.conf:


net.ipv4.ping_group_range="0 2147483647"

or temporarily set on the fly with the sysctl command, for example:

sysctl net.ipv4.ping_group_range="0 2147483647"


Users whose UIDs are covered by net.ipv4.ping_group_range are allowed to use the ping command:

node1:~ # sysctl net.ipv4.ping_group_range
net.ipv4.ping_group_range = 0    2147483647
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/> 


2.  Alternatively, non-root users can use the ping command if certain "capabilities" are present on the /usr/bin/ping binary.  However, not every configuration supports "capabilities."  For example, capabilities are not supported when the ping binary is located on an NFS mount, or when ping is being executed from within certain kinds of containers, such as a Singularity container.  In those kinds of situations, option #2 is not helpful.

node1:~ # setcap cap_net_raw+p /usr/bin/ping
node1:~ # getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+p
node1:~ #
node1:~ # su test
test@node1:/> ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=3.62 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.620/3.620/3.620/0.000 ms
test@node1:/>

The above capability method allows more fine grained privileges to be given to non-root users rather than the full power of root.  Testing and research confirm that "cap_net_raw+p" on /usr/bin/ping should be enough to allow non-root users to ping.  However, most SLES 12 and 15 installations have defaulted to "cap_net_raw+ep" so if any problems are seen with +p, it may be worth testing +ep as well.

More information about file capabilities could be found at these links:
https://documentation.suse.com/sles/12-SP5/single-html/SLES-security/
https://documentation.suse.com/sles/15-SP2/single-html/SLES-security/

* In order to use getcap and setcap commands, the libcap-progs package must be installed, which can be done with the command:

zypper install libcap-progs


3.  In some unique circumstances, the permissions mode of /usr/bin/ping may need to be increased to allow execution by non-root users.  This method is no longer preferred, as it carries more security risk.  In older distributions of Linux, such as SLES 11, ping was typically made accessible to non-root users by setting the "setuid" bit on /usr/bin/ping:

# chmod 4755 /usr/bin/ping
# ls -l /usr/bin/ping
-rwsr-xr-x 1 root root 72664 May  7 15:39 /usr/bin/ping

Note the "s" in the permissions displayed above.  This represents the "setuid" bit and allows non-root users to execute as the owner (root).

However, for security reasons, using the setuid bit is no longer a preferred method.  It is safer to use options #1 or #2 above.

Despite that warning, if SLES 12 SP4 or lower is in use and /usr/bin/ping resides on an NFS mount (typically when the root file systems is an NFS mount) then neither method #1 nor #2 will allow non-root users to execute ping.  In that case, it is necessary to add the setuid bit as shown above.  Note that for SLES 15 SP3 (and above) and SLES 12 SP5 with updated iputils, with an NFS mount, method #1 above is sufficient and preferred.

Some administrative commands might remove the setuid bit from certain executables which are not intended to have it.  To make the setuid bit more permanent, edit /etc/permissions.local and add these 2 lines:

/usr/bin/ping       root:root         4755
/usr/bin/ping6      root:root         4755

After which, the following command will always insure that those permissions are present:

chkstat --system


 

Cause

Because of security concerns, traditional methods of allowing non-root users to execute ping (and to obtain sockets) have evolved over time.  Because of these changes, configuration may occasionally need to be verified.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020581
  • Creation Date: 09-Feb-2022
  • Modified Date:04-Nov-2024
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.