[Bug 2047507] [NEW] insufficient privileges for ping

Jingzi Meng 2047507 at bugs.launchpad.net
Wed Dec 27 08:50:51 UTC 2023 

Public bug reported:

Description:	Ubuntu 22.04.3 LTS
Release:	22.04
Package Version: iputils-ping 3:20211215-1

Expect to happen: Use the full functionality of ping as an unprivileged
user.

What happened instead: In most cases, ping works fine. However, when
using the ‘-m’ option to mark outgoing packets, it fails due to lack of
privileges.

ping -m 11 www.ubuntu.com
ping: WARNING: failed to set mark: 11: Operation not permitted
PING www.ubuntu.com (185.125.190.21) 56(84) bytes of data.
ping: WARNING: failed to set mark: 11: Operation not permitted
64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=1 ttl=128 time=270 ms
64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=2 ttl=128 time=269 ms
64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=3 ttl=128 time=255 ms

Problems: ping command is configured with cap_net_raw, but in order to
tag the outgoing packets, cap_net_admin is needed as well. After we
switch to root and assign these two capabilities(cap_net_admin and
cap_net_raw) to the ping binary, 'ping -m' works fine.

getcap `which ping`
/usr/bin/ping cap_net_raw=ep
sudo setcap cap_net_admin,cap_net_raw+ep /usr/bin/ping
ping -m 11 www.ubuntu.com
PING www.ubuntu.com (185.125.190.20) 56(84) bytes of data.
64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=1 ttl=128 time=298 ms
64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=2 ttl=128 time=339 ms
64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=3 ttl=128 time=323 ms
64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=4 ttl=128 time=305 ms

Since the ping command chooses to use capabilities instead of superuser
privileges (which is conducive to least privilege), it should be given
enough capabilities to do the whole thing.

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: iputils-ping 3:20211215-1
ProcVersionSignature: Ubuntu 6.2.0-39.40~22.04.1-generic 6.2.16
Uname: Linux 6.2.0-39-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Dec 27 16:24:56 2023
InstallationDate: Installed on 2023-12-26 (0 days ago)
InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: iputils
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: iputils (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to iputils in Ubuntu.
https://bugs.launchpad.net/bugs/2047507

Title:
  insufficient privileges for ping

Status in iputils package in Ubuntu:
  New

Bug description:
  Description:	Ubuntu 22.04.3 LTS
  Release:	22.04
  Package Version: iputils-ping 3:20211215-1

  Expect to happen: Use the full functionality of ping as an
  unprivileged user.

  What happened instead: In most cases, ping works fine. However, when
  using the ‘-m’ option to mark outgoing packets, it fails due to lack
  of privileges.

  ping -m 11 www.ubuntu.com
  ping: WARNING: failed to set mark: 11: Operation not permitted
  PING www.ubuntu.com (185.125.190.21) 56(84) bytes of data.
  ping: WARNING: failed to set mark: 11: Operation not permitted
  64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=1 ttl=128 time=270 ms
  64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=2 ttl=128 time=269 ms
  64 bytes from website-content-cache-2.ps5.canonical.com (185.125.190.21): icmp_seq=3 ttl=128 time=255 ms

  Problems: ping command is configured with cap_net_raw, but in order to
  tag the outgoing packets, cap_net_admin is needed as well. After we
  switch to root and assign these two capabilities(cap_net_admin and
  cap_net_raw) to the ping binary, 'ping -m' works fine.

  getcap `which ping`
  /usr/bin/ping cap_net_raw=ep
  sudo setcap cap_net_admin,cap_net_raw+ep /usr/bin/ping
  ping -m 11 www.ubuntu.com
  PING www.ubuntu.com (185.125.190.20) 56(84) bytes of data.
  64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=1 ttl=128 time=298 ms
  64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=2 ttl=128 time=339 ms
  64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=3 ttl=128 time=323 ms
  64 bytes from website-content-cache-1.ps5.canonical.com (185.125.190.20): icmp_seq=4 ttl=128 time=305 ms

  Since the ping command chooses to use capabilities instead of
  superuser privileges (which is conducive to least privilege), it
  should be given enough capabilities to do the whole thing.

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: iputils-ping 3:20211215-1
  ProcVersionSignature: Ubuntu 6.2.0-39.40~22.04.1-generic 6.2.16
  Uname: Linux 6.2.0-39-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.5
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Wed Dec 27 16:24:56 2023
  InstallationDate: Installed on 2023-12-26 (0 days ago)
  InstallationMedia: Ubuntu 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230807.2)
  RebootRequiredPkgs: Error: path contained symlinks.
  SourcePackage: iputils
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/2047507/+subscriptions

More information about the foundations-bugs mailing list