| View previous topic :: View next topic |
| Author |
Message |
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
 Posted: Thu Nov 25, 2021 12:13 am Post subject: strange ping to ipv6 behaviour |
 |
|
Hi,
I noticed a weird ping behaviour, that got more weird when I dug deeper, line in a weird fantasy dream. Just on 1 box, I didn't try any more.
ping to ipv4 works as user and as root.
ping to ipv6 works as root, but not as user. strace at one point says
| Code: | sendto(3, 0x55615881c440, 64, 0, 0x7fff33e31f14, 28) = -1 EINVAL (Invalid argument)
recvmsg(3, 0x7fff33e2e7b8, MSG_DONTWAIT|MSG_ERRQUEUE) = -1 EAGAIN (Resource temporarily unavailable)
|
ping is:
| Code: | # which ping
/bin/ping
# ll /bin/ping
-rws--x--x 1 root root 69024 Oct 23 22:26 /bin/ping
|
As user, it is also /bin/ping, but I retried with full path anyway ... still doesn't work as user.
Now note the setuid!
Anyway, I did some sysctl -a|grep ping and grep echo, and came up with "net.ipv4.ping_group_range=100 100". My user is not in group 100, but in group 1000. This does not matter at all.
Instead, no matter what I set ping_group_range to, the user can never ping to ipv6. If I set it to "1 1100" or "0 2000" or something like that, even root can no longer ping ipv6. However, ping to ipv4 is unaffected. I settled with "100 2000". This way, root can still ping, as it should be, user can't ping ipv6, which is weird in many ways, note also the setuid.
kernel version is 5.14.10, I don't use selinux or other big LSMs. nft is in use, but it filters a different interface. The ipv6 target address is link-local.
What could be going on there? No big deal, but maybe a fun riddle or a joke.
-----------------------------------------------------------------
Edit, I solved part of the riddle.
The target address is reachable via enp2s0. If I add %enp2s0, user can ping too. If I add %enp1s0, both user and root can't ping, as it should be, because the target is not on that interface.
So it turns out the ping itself works. But root can figure out which interface to use, user cannot. Even as /bin/ping is setuid-root.
Still a riddle. |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Nov 25, 2021 12:20 am Post subject: |
|
|
Maybe use
instead of ping.
_________________
 |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu Nov 25, 2021 12:45 am Post subject: |
|
|
| alamahant wrote: | | Maybe use /bin/ping6 instead of ping. |
Won't help, because:
| Code: | $ ls -la /bin/ping*
-rwx--x--x 1 root root 77328 21. Okt 04:12 /bin/ping
lrwxrwxrwx 1 root root 4 21. Okt 04:12 /bin/ping4 -> ping
lrwxrwxrwx 1 root root 4 21. Okt 04:12 /bin/ping6 -> ping |
@jamapii: ping must be installed either with the suid permission bit or it must have the CAP_NET_RAW capability.
| Code: | $ getcap /bin/ping
/bin/ping cap_net_raw=ep |
On my machine, as root...
| Code: | # ping ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.044 ms |
... and as user:
| Code: | $ ping ::1
PING ::1(::1) 56 data bytes
64 Bytes von ::1: icmp_seq=1 ttl=64 Zeit=0.053 ms
64 Bytes von ::1: icmp_seq=2 ttl=64 Zeit=0.035 ms |
works as expected... |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Thu Nov 25, 2021 8:08 am Post subject: |
|
|
| mike155 wrote: |
@jamapii: ping must be installed either with the suid permission bit or it must have the CAP_NET_RAW capability.
|
Mine is -rws--x--x. Didn't check for capabilities.
Even with just suid, this difference between user and root shouldn't exist, or so I think.
For me, also ping6 is a link to ping. And /bin/ping does the exaxt same thing as ping.
I don't see this behaviour on any other box, _but_ I don't have one at hand to replicate it. Because to replicate it, I need multiple interfaces and link-layer ipv6 on each of them. Because the problem has already been narrowed down. Not the ping itself is the problem, but automatically determining the interface is. (see the end of the 1st post)
Still, there is this other strage effect of net.ipv4.ping_group_range. If the lower bound just comes close to 0, root fails too. Regardless of the setting, user fails always. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Thu Nov 25, 2021 5:46 pm Post subject: Re: strange ping to ipv6 behaviour |
|
|
| jamapii wrote: | Edit, I solved part of the riddle.
The target address is reachable via enp2s0. If I add %enp2s0, user can ping too. If I add %enp1s0, both user and root can't ping, as it should be, because the target is not on that interface.
So it turns out the ping itself works. But root can figure out which interface to use, user cannot. Even as /bin/ping is setuid-root.
Still a riddle. |
Well, you didn't tell us which IPv6 address you tried to ping.
Maybe it's just this: https://unix.stackexchange.com/questions/423534/how-do-i-get-the-pingable-ipv6-address-of-my-machine |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
