| View previous topic :: View next topic |
| Author |
Message |
Gnosis
n00b
Joined: 01 Aug 2021
Posts: 12
|
 Posted: Sun Sep 26, 2021 8:16 pm Post subject: Unable to ping as regular user |
 |
|
I'm unable to ping as a regular user or use the network at all. For instnace, the output of is | Code: | | ping: socket: Operation not permitted |
However, when running ping as root or with doas, it's able to ping just fine.
The contents of /etc/conf.d/net are:
| Code: | config_eth0="noop
dhcp" |
I've restored the traditional network device names by creating a symbolic link from /etc/udev/rules.d/80-net-setup-link.rules to /dev/null
I've linked /etc/init.d/net.lo to /etc/init.d/net.eth0
I'm running on glibc hardened
my user is a member of the groups | Code: | | lp whell audio cdrom video usb users portage |
as well as its own group.
I can use ping just fine when I elevate my privileges via doas or login as root, but my regular user can't access the network. |
|
| Back to top |
|
 |
CooSee
Veteran
Joined: 20 Nov 2004
Posts: 1507
Location: Earth
|
| Posted: Mon Sep 27, 2021 5:28 pm Post subject: |
|
|
i didn't create any file like /etc/conf.d/net
using openrc with -netifrc and dhcpd and it's added to default runlevel.
i use a udev rule which is copied from my old funtoo install:
| Code: | | SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="aa:bb:cc:dd:ee:ff", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" |
and there's no spoon, i mean whell group !
| Code: | | lp whell audio cdrom video usb users portage |
my user groups are:
| Code: | | wheel audio cdrom video usb input users greetd myuser |
changed my username here because it's none of anyones business  - no offence  - MAC adress obove changed as well !
good luck
_________________
" Die Realität ist eine Illusion, die durch Mangel an ehrlicher Kommunikation entsteht "
---
" Der Mensch ist von Natur aus neugierig, was am Ende übrig bleibt ist die Gier "
Last edited by CooSee on Mon Sep 27, 2021 6:06 pm; edited 5 times in total |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Mon Sep 27, 2021 5:47 pm Post subject: |
|
|
ping is a special case, since it needs either raw sockets or the kernel's special ICMP echo rules. From the output shown, ping was not run with privilege and was not able to use the special rule. What is the output of cat /proc/sys/net/ipv4/ping_group_range ; ls -l /bin/ping* ; getcap /bin/ping ; emerge --pretend --verbose net-misc/iputils ; setpriv -d?
OP: for the non-ping error, please post the error messages as shown by the program. |
|
| Back to top |
|
|
CooSee
Veteran
Joined: 20 Nov 2004
Posts: 1507
Location: Earth
|
| Posted: Mon Sep 27, 2021 6:08 pm Post subject: |
|
|
good info @hu
i tried with an additional user just for testing - even without wheel group and ping works anyway.
_________________
" Die Realität ist eine Illusion, die durch Mangel an ehrlicher Kommunikation entsteht "
---
" Der Mensch ist von Natur aus neugierig, was am Ende übrig bleibt ist die Gier " |
|
| Back to top |
|
|
Gnosis
n00b
Joined: 01 Aug 2021
Posts: 12
|
| Posted: Mon Sep 27, 2021 9:22 pm Post subject: |
|
|
| Hu wrote: | | What is the output of cat /proc/sys/net/ipv4/ping_group_range ; ls -l /bin/ping* ; getcap /bin/ping ; emerge --pretend --verbose net-misc/iputils ; setpriv -d? |
Thanks Hu,
Here's the output:
| Code: | 1 0
-rwx--x--x 1 root root 68184 Aug 4 00:18 /bin/ping
lrwxrwxrwx 1 root root 4 Aug 4 00:18 /bin/ping4 -> ping
lrwxrwxrwx 1 root root 4 Aug 4 00:18 /bin/ping6 -> ping
-rwx--x--x 1 root root 68184 Sep 26 21:51 /bin/ping_old
These are the packages that would be merged, in order:
Calculating dependencies .... done!
[ebuild R ] net-misc/iputils-20210722::gentoo USE="arping filecaps ipv6 ssl -caps -clockdiff -doc -gcrypt -idn -nettle -nls -rarpd -rdisc -static -test% -tftpd
-tracepath -traceroute6" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
uid: 1000
euid: 1000
gid: 1000
egid: 1000
Supplementary groups: 7,10,18,19,27,85,100,250,1000
no_new_privs: 0
Inheritable capabilities: [none]
Ambient capabilities: [none]
Capability bounding set: chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,
ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,
setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore
Securebits: [none]
Parent death signal: [none]
SELinux label: kernel |
Last edited by Gnosis on Mon Sep 27, 2021 11:47 pm; edited 1 time in total |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Mon Sep 27, 2021 10:43 pm Post subject: |
|
|
You do not have the special ICMP echo enabled in the kernel. That is fine.
You have an unexpected ping_old, which looks weird. Your ping is not suid, which is expected if it is built with USE=filecaps. Your ping has no capabilities, which is not expected if built with USE=filecaps. Have you been copying files around outside of Portage? Was this system migrated from one disk to another? |
|
| Back to top |
|
|
Gnosis
n00b
Joined: 01 Aug 2021
Posts: 12
|
| Posted: Mon Sep 27, 2021 11:42 pm Post subject: |
|
|
| Hu wrote: | | You have an unexpected ping_old, which looks weird. |
I was running chmod on ping to see if that might fix the issue. ping_old is just a backup of the binary I created before I started messing with it.
| Hu wrote: | | Was this system migrated from one disk to another? |
No.
| Hu wrote: | | You do not have the special ICMP echo enabled in the kernel. |
Would the easiest fix be to enable it?
| Hu wrote: | | Your ping has no capabilities, which is not expected if built with USE=filecaps |
What capabilities should it have? And what relationship do these capabilities have with USE-filecaps?
Thanks |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Tue Sep 28, 2021 1:36 am Post subject: |
|
|
| Gnosis wrote: | | Would the easiest fix be to enable it? |
That might make ping work, but it ought to work without it. You could also try re-emerging iputils, though without understanding how you ended up with an install that is neither suid nor fcaps, it is uncertain whether a reinstall will fix anything. | Gnosis wrote: | | What capabilities should it have? And what relationship do these capabilities have with USE-filecaps? |
USE=filecaps causes the ebuild to set the capabilities to grant cap_net_raw: | iputils-20210722.ebuild: | pkg_postinst() {
fcaps cap_net_raw \
bin/ping \ |
For me: | Code: | # getcap /bin/ping
/bin/ping cap_net_raw=ep
# |
|
|
| Back to top |
|
|
Gnosis
n00b
Joined: 01 Aug 2021
Posts: 12
|
| Posted: Tue Sep 28, 2021 1:49 am Post subject: |
|
|
Upgrading to the latest kernel magically fixed it somehow.
After emerging @world I had been too lazy to compile kernel 5.14.8 and was still running kernel 5.13.7 (it had been a while). Maybe the fact that I was running newer software with an older kernel was the issue? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Tue Sep 28, 2021 2:08 am Post subject: |
|
|
| That should not cause this problem. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
