# Unable to ping as regular user

## Gnosis

I'm unable to ping as a regular user or use the network at all. For instnace, the output of 

```
ping fsf.org -c 4
```

 is 

```
ping: socket: Operation not permitted
```

However, when running ping as root or with doas, it's able to ping just fine.

The contents of /etc/conf.d/net are:

```
config_eth0="noop

dhcp"
```

I've restored the traditional network device names by creating a symbolic link from /etc/udev/rules.d/80-net-setup-link.rules to /dev/null

I've linked /etc/init.d/net.lo to /etc/init.d/net.eth0

I'm running on glibc hardened

my user is a member of the groups 

```
lp whell audio cdrom video usb users portage
```

 as well as its own group.

I can use ping just fine when I elevate my privileges via doas or login as root, but my regular user can't access the network.

----------

## CooSee

i didn't create any file like /etc/conf.d/net

using openrc with -netifrc and dhcpd and it's added to default runlevel.

i use a udev rule which is copied from my old funtoo install:

```
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="aa:bb:cc:dd:ee:ff", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
```

and there's no spoon, i mean whell group !

```
lp whell audio cdrom video usb users portage
```

my user groups are:

```
wheel audio cdrom video usb input users greetd myuser 
```

changed my username here because it's none of anyones business   :Wink:   - no offence   :Rolling Eyes:  - MAC adress obove changed as well !

good luck

----------

## Hu

ping is a special case, since it needs either raw sockets or the kernel's special ICMP echo rules.  From the output shown, ping was not run with privilege and was not able to use the special rule.  What is the output of cat /proc/sys/net/ipv4/ping_group_range ; ls -l /bin/ping* ; getcap /bin/ping ; emerge --pretend --verbose net-misc/iputils ; setpriv -d?

OP: for the non-ping error, please post the error messages as shown by the program.

----------

## CooSee

good info @hu

i tried with an additional user just for testing - even without wheel group and ping works anyway.

----------

## Gnosis

 *Hu wrote:*   

>  What is the output of cat /proc/sys/net/ipv4/ping_group_range ; ls -l /bin/ping* ; getcap /bin/ping ; emerge --pretend --verbose net-misc/iputils ; setpriv -d?

 

Thanks Hu,

Here's the output:

```
1   0

-rwx--x--x 1 root root 68184 Aug  4 00:18 /bin/ping

lrwxrwxrwx 1 root root     4 Aug  4 00:18 /bin/ping4 -> ping

lrwxrwxrwx 1 root root     4 Aug  4 00:18 /bin/ping6 -> ping

-rwx--x--x 1 root root 68184 Sep 26 21:51 /bin/ping_old

These are the packages that would be merged, in order:

Calculating dependencies  .... done!

[ebuild   R    ] net-misc/iputils-20210722::gentoo  USE="arping filecaps ipv6 ssl -caps -clockdiff -doc -gcrypt -idn -nettle -nls -rarpd -rdisc -static -test% -tftpd

-tracepath -traceroute6" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB

uid: 1000

euid: 1000

gid: 1000

egid: 1000

Supplementary groups: 7,10,18,19,27,85,100,250,1000

no_new_privs: 0

Inheritable capabilities: [none]

Ambient capabilities: [none]

Capability bounding set: chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,

ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,

setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore

Securebits: [none]

Parent death signal: [none]

SELinux label: kernel
```

Last edited by Gnosis on Mon Sep 27, 2021 11:47 pm; edited 1 time in total

----------

## Hu

You do not have the special ICMP echo enabled in the kernel.  That is fine.

You have an unexpected ping_old, which looks weird.  Your ping is not suid, which is expected if it is built with USE=filecaps.  Your ping has no capabilities, which is not expected if built with USE=filecaps.  Have you been copying files around outside of Portage?  Was this system migrated from one disk to another?

----------

## Gnosis

 *Hu wrote:*   

> You have an unexpected ping_old, which looks weird.

 

I was running chmod on ping to see if that might fix the issue. ping_old is just a backup of the binary I created before I started messing with it.

 *Hu wrote:*   

> Was this system migrated from one disk to another?

 

No.

 *Hu wrote:*   

> You do not have the special ICMP echo enabled in the kernel.

 

Would the easiest fix be to enable it?

 *Hu wrote:*   

> Your ping has no capabilities, which is not expected if built with USE=filecaps

 

What capabilities should it have? And what relationship do these capabilities have with USE-filecaps?

Thanks

----------

## Hu

 *Gnosis wrote:*   

> Would the easiest fix be to enable it?

 That might make ping work, but it ought to work without it.  You could also try re-emerging iputils, though without understanding how you ended up with an install that is neither suid nor fcaps, it is uncertain whether a reinstall will fix anything. *Gnosis wrote:*   

> What capabilities should it have? And what relationship do these capabilities have with USE-filecaps?

 USE=filecaps causes the ebuild to set the capabilities to grant cap_net_raw:

```
pkg_postinst() {

    fcaps cap_net_raw \

        bin/ping \
```

For me:

```
# getcap /bin/ping

/bin/ping cap_net_raw=ep

# 
```

----------

## Gnosis

Upgrading to the latest kernel magically fixed it somehow.

After emerging @world I had been too lazy to compile kernel 5.14.8 and was still running kernel 5.13.7 (it had been a while). Maybe the fact that I was running newer software with an older kernel was the issue?

----------

## Hu

That should not cause this problem.

----------

