regular users can't ping
314 views
Skip to first unread message
Mike Wright
Sep 27, 2023, 3:02:52 PM9/27/23
to lxc-users
Hi all,
I've installed mantic from the images repo multiple times and created multiple users, I've set lxc.apparmor.profile = unconfined, but nothing that I do will allow ordinary users to use "ping".
The error is
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?
If I sudo I can do everything but not as an ordinary user.
Is this a new security feature? If so, why would ping be such a threat?
How do I give ordinary users these capabilities?
Thank for any help,
Mike Wright
I've installed mantic from the images repo multiple times and created multiple users, I've set lxc.apparmor.profile = unconfined, but nothing that I do will allow ordinary users to use "ping".
The error is
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?
If I sudo I can do everything but not as an ordinary user.
Is this a new security feature? If so, why would ping be such a threat?
How do I give ordinary users these capabilities?
Thank for any help,
Mike Wright
Mike Wright
Sep 27, 2023, 3:48:15 PM9/27/23
to lxc-users, Mike Wright
I've tracked this down. It is a setting in sysctl. For whatever reason it is set like this:
net.ipv4.ping_group_range = 1 0
Changing to what most distros have:
and ping is available again.
NB. This was from -d ubuntu -r mantic from the default images repository.
Narcis Garcia
Sep 28, 2023, 2:03:37 AM9/28/23
to lxc-...@lists.linuxcontainers.org
How do I search for "ping_group_range" in documentation?
I want to know LXC version required too.
Thank you
El 27/9/23 a les 21:48, Mike Wright ha escrit:
> --
> You received this message because you are subscribed to the Google
> Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to lxc-users+...@lists.linuxcontainers.org
> <mailto:lxc-users+...@lists.linuxcontainers.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/76e4734a-1687-4823-a00f-0a84b79b5a81n%40lists.linuxcontainers.org <https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/76e4734a-1687-4823-a00f-0a84b79b5a81n%40lists.linuxcontainers.org?utm_medium=email&utm_source=footer>.
--
Narcis Garcia
__________
I'm using this dedicated address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should remove and omit any @, dot and mailto combinations against
automated addresses collectors.
I want to know LXC version required too.
Thank you
El 27/9/23 a les 21:48, Mike Wright ha escrit:
> You received this message because you are subscribed to the Google
> Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to lxc-users+...@lists.linuxcontainers.org
> <mailto:lxc-users+...@lists.linuxcontainers.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/76e4734a-1687-4823-a00f-0a84b79b5a81n%40lists.linuxcontainers.org <https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/76e4734a-1687-4823-a00f-0a84b79b5a81n%40lists.linuxcontainers.org?utm_medium=email&utm_source=footer>.
--
Narcis Garcia
__________
I'm using this dedicated address because personal addresses aren't
masked enough at this mail public archive. Public archive administrator
should remove and omit any @, dot and mailto combinations against
automated addresses collectors.
Narcis Garcia
Sep 28, 2023, 12:05:48 PM9/28/23
to LXC users SPM
El 28/9/23 a les 16:25, Mike Wright ha escrit:
>
> ping_group_range is a setting in sysctl.conf.
>
> I created "/etc/sysctl.d/50-default.conf" and placed the setting inside
> that.
>
> net.ipv4.ping_group_range = 0 2147483647
>
> It could just as well have been added directly to /etc/sysctl.conf
>
> Once added to the location of your choice run "sysctl -p" and to see all
> of the settings run "sysctl -a". Pipe it through less: there are a log
> of settings.
>
> Mike Wright
Thank you.
> On 9/27/23 23:03, Narcis Garcia wrote:
>> How do I search for "ping_group_range" in documentation?
>> I want to know LXC version required too.
>
>
> lxc is already the newest version (1:5.0.0~git2209-g5a7b9ce67-0ubuntu3)
>> How do I search for "ping_group_range" in documentation?
>> I want to know LXC version required too.
>
>
>
> ping_group_range is a setting in sysctl.conf.
>
> I created "/etc/sysctl.d/50-default.conf" and placed the setting inside
> that.
>
> net.ipv4.ping_group_range = 0 2147483647
>
> It could just as well have been added directly to /etc/sysctl.conf
>
> Once added to the location of your choice run "sysctl -p" and to see all
> of the settings run "sysctl -a". Pipe it through less: there are a log
> of settings.
>
> Mike Wright
Thank you.
Reply all
Reply to author
Forward
0 new messages