5

I have copied my /usr/bin/ping file to another location (my home directory) with just a typical cp /bin/ping p command and then it stopped working, because the lack of permissions. Precisely:

Ping: icmp open socket: Operation not permitted.

I know that sudo would rather solve my problem, but I should not log in as a superuser.
I also know that it is (probably) all about the lack of some permissions or capabilities (in fact getcap for my copied file shows it's missing the original ping's capabilities), but unfortunately I am not able to use setcap without root privileges .. or maybe I am? Somehow?

How could I solve this problem and be able to use my ping file copy ./p?

mtszkw
  • 223
  • 3
  • 8
  • My `ping` executable is not located at `/usr/bin/ping` but at `/bin/ping`. Can you please [edit] your question and add the output of `ls -l ./p /bin/ping /usr/bin/ping`? And can you use `sudo` (i.e. do you have an admin account or just a restricted one)? You will probably need it to fix this, I think. – Byte Commander Nov 18 '15 at 16:16
  • 1
    Why do you need to work with a copy of `ping` at all by the way? – Byte Commander Nov 18 '15 at 16:21
  • @ByteCommander, of course you are right. My problem is actually about Fedora, not Ubuntu. But if I change the path to `bin/ping` as you said it is actually still a good question. – mtszkw Nov 18 '15 at 16:21
  • @ByteCommander, that's some kind of assignment or rather a challenge from my ex-teacher and I'd like to beat it. – mtszkw Nov 18 '15 at 16:22
  • If you are using Fedora, could be selinux as well ;) – Panther Nov 18 '15 at 16:22
  • 1
    So you must operate on an account without `sudo` privilege and manage to get a copy of the `ping` executable running. I understand. – Byte Commander Nov 18 '15 at 16:23
  • @ByteCommander, exactly, sir. – mtszkw Nov 18 '15 at 16:24
  • @MateuszKwasniak Based on the information in this thread, your best bet is to find a security flaw in your operating system, and get a privilege elevation to root. No other easy way to do it as your current user. ICMP is too far down in the stack for the kernel to give you access to that. UDP and TCP are fair game, but going down to layer 3 is tricky as an ordinary user. – Naftuli Kay Nov 19 '15 at 01:40
  • @NaftuliTzviKay, Yep. I have already realised that it's not possible. Thanks. – mtszkw Nov 19 '15 at 08:17

2 Answers2

10
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping

The s in rws means ping is setuid. When you run it, it runs as its owner, root.

That's how it has the permission to ping. You can sudo setcap cap_net_raw=ep ./ping but ultimately ICMP is under "raw sockets" so this isn't a small number of operations. It would allow another application to spoof network traffic.

For this to be "secure" and ping, the file would have to be owned by root to stop the application being edited by other users.

Perhaps setcap will one day let you specify a hash signature for executable too.

Oli
  • 289,791
  • 117
  • 680
  • 835
  • You should maybe add that one would need to run `chmod 4755 ./p && sudo chown root: ./p` to set the correct original permissions for the file. – Byte Commander Nov 18 '15 at 16:29
  • 3
    It's probably better to grab a fresh copy in a way that preserves file attributes `sudo cp -a /bin/ping ./p` (just in case something untoward has already happened to the file). – Oli Nov 18 '15 at 16:33
4

As noticed by Oli, ping is setuid --- run as root when called.

However, if you copy it with 

cp -a /usr/bin/ping ./myping

the target will lose the setuid bit --- you copy the file, but you can only create files with your own user's permissions, and your regular user can't create a setuid-root binary. It will be a huge security hole otherwise (now you can modify your copy of ping)!

If you want to maintain the setuid bit, you must copy with sudo cp -a. No way around this, I hope.

Community
  • 1
Rmano
  • 31,627
  • 16
  • 118
  • 187