ping: permission denied (are you root?) flooding y

Question

ping: permission denied (are you root?) flooding y

pedroricardo opened this issue 5 years ago · 5 comments

I don't know if this is a bug but today I got a weird result that can be easily reproduced.

I created a container with --cap-drop=ALL with the image 10.16.3-alpine.
Soon after I accessed the container terminal with the command:
docker exec -ti CONTAINER_ID / bin/sh and I used a basic command:
ping www.google.com
I got the result
ping: permission denied (are you root?)
out of curiosity I tried
ping www.google.com && yes or ping www.google.com; yes
I received an absurd flood of the letter Y without stopping on my console. I had to restart my machine to get out of the infinite loop.

I believe that if this has no connection to the alpine image or cannot be resolved, I think the phrase (are you root?) Should be removed.

Answer 1 · 2019-11-08T04:43:58.000Z

It means that either you don't have permission to run it or it won't allow you to run it as root. The reason it's repeated printing y is that by trying to respond literally to the command, it looks like it's passing y into a bunch of pings, or some weird thing like that. Pretty sure since you're responding with yes, the ping binary is refusing to run as root.

Actually: https://stackoverflow.com/questions/49302556/why-ping-does-work-from-user-but-does-not-work-as-root-why-root-cannot-load-ex

However you might have inadvertently found a hilarious bug, but not a Docker-alpine bug. Probably busybox... Or maybe gnu? Not sure what version of ping is on alpine.

Answer 2 · 2020-04-10T03:45:39.000Z

hi,
based on the alpine shell outputs:

/ # ls -la /bin/ping
lrwxrwxrwx    1 root     root            12 Jun 19  2019 /bin/ping -> /bin/busybox

ping (in alpine) is ported from busybox, and the original source code here, it just terminated by calling of syscall exit_group(1) after outputting error msg "ping: permission denied (are you root?)",

as an alpine linux distro it also patched some fixes (or enhancements), supposing alpine-3.10 the patched busybox details were here, the corresponding tar was found here, untar it, and got the ping patch located:
aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch
this patch added another ICMP method using the datagram socket type (SOCK_DGRAM), besides the raw socket type (SOCK_RAW) in the original busybox implements.

basically ping (ICMP) needs the CAP_NET_RAW capabilities, on the alpine docker without none of capabilities '--cap-drop=ALL', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips:

//1. the original busybox implements (SOCK_RAW)
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)

//2. the patched enhancement (SOCK_DGRAM)
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)

//output that error and terminated
write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209>
exit_group(1)     = ?
+++ exited with 1 +++

as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly.

thanks

Answer 3 · 2020-04-10T04:32:50.000Z

So, there are two issues. #1. Don't run ping as root. I already replied with the reason for that. #2. It's not asking a question, it's exiting and that's it's error message. So when you put in 'yes' you're entering the *nix yes command. https://www.computerhope.com/unix/yes.htm

…

On Thu, Apr 9, 2020, 11:45 PM harperwang ***@***.***> wrote: hi, based on the alpine shell outputs: / # ls -la /bin/ping lrwxrwxrwx 1 root root 12 Jun 19 2019 /bin/ping -> /bin/busybox ping (in alpine) is ported from busybox, and the original source code here <https://github.com/mirror/busybox/blob/1_30_1/networking/ping.c#L187>, it just terminated by calling of syscall *exit_group(1)* after outputting error msg "ping: permission denied (are you root?)", as an alpine linux distro it also patched some fixes (or enhancements), supposing *alpine-3.10* the patched busybox details were here <https://pkgs.alpinelinux.org/package/v3.10/main/x86_64/busybox>, the corresponding tar was found here <https://git.alpinelinux.org/aports/snapshot/aports-bad6ce215708bb0f2a04be3c290d573966d18c7c.tar.xz>, untar it, and got the ping patch located: aports-*/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch this patch added another ICMP method using the datagram socket type ( *SOCK_DGRAM*), besides the raw socket type (*SOCK_RAW*) in the original busybox implements. basically ping (ICMP) needs the *CAP_NET_RAW* capabilities <http://man7.org/linux/man-pages/man7/capabilities.7.html>, on the alpine docker without none of capabilities '*--cap-drop=ALL*', both 2 types (SOCK_RAW, SOCK_DGRAM) of sockets were created failed, see below strace snips: //1. the original busybox implements (SOCK_RAW) socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted) //2. the patched enhancement (SOCK_DGRAM) socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied) //output that error and terminated write(2, "ping: permission denied (are you root?)\n", 40) = 40 <0.000209> exit_group(1) = ? +++ exited with 1 +++ as the codes and the strace debugging above, it didn't accept the input character 'y', so the command 'yes' just output 'y' repeatedly. thanks — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#528 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAUYLHWDAYAOJ4CSIA4OA5TRL2I7DANCNFSM4JCOGPUQ> .

Answer 4 · 2020-04-10T10:29:26.000Z

#1. Don't run ping as root. I already replied with the reason for that.

it needs the CAP_NET_RAW capabilities, regardless root or not.

Answer 5 · 2022-01-19T23:20:29.000Z

The socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) socket doesn't require cap_net_raw or root, it just requires the net.ipv4.ping_group_range kernel setting to include a group id which your user is in