No ping from non root user in Debian Buster LXC

ulvida

Member
Feb 11, 2020
8
6
23
59
When installing a Debian 10 container in a Proxmox VE 6.1 (with the nested option needed), I have no ping from any non root user in the container:
Bash:
ulvida@anacahuita:~$ ping che
ping: socket: Operación no permitida
This problem was indirectly addressed in this forum thread (which is tagged as solved, and that's why I'm opening a new one). However, AMHO, it was quite misinterpreted (I think it is an OS problem, not an Apache one, as it happens for any non-pribilegied user, not only www-data) and can have better solutions.

Consulting several sources, particularly this forum post, to solve that recent linux distribution do no longer use the setuid bit (which provoques ping to be executed as the program's owner, root, an not the user who runs the command), but kernel capabilities. In a Debian or an Ubuntu installed from official ISOs, when I run getcap /bin/ping, it returns: /bin/ping = cap_net_raw+ep. Which is not the case with PVE LXC Debian Buster templates.

It's easy to solve. You just have to run as root:
Bash:
setcap cap_net_raw+ep /bin/ping
Or, more elegant, re-install iputils-ping package.

Ping is clearly a basic network tool that should be available for all linux users, which is the case in usual linux distros.

This forum post just to contribute for other users, and to insist that PVE Staff Member take it into account in templates' configuration.
 
Last edited:
Hi,

from the manpage
Code:
SECURITY
       ping requires CAP_NET_RAW capability to be executed 1) if the program is used for non-echo queries (See -N option), or 2) if kernel does not
       support non-raw ICMP sockets, or 3) if the user is not allowed to create an ICMP echo socket. The program may be used as set-uid root.
 
Thanks for your answer.

from the manpage

Yes ping's manpage documents that it requires this capability.

But why the capability is not set for non root users of proxmox debian templates while it is in a standard debian installation? I understand that these templates should have a behaviour as near as possible from a standard template. And here it is possible: jist run a re-install of iputils-ping package.
 
  • Like
Reactions: Colin 't Hart
Hi

on my containers I just reinstall all packages containing setcap command and be already installed by the image.

That works in any way - hope useful for others too.

Here is a command which look at all installed packages and reinstall those ...

Bash:
cd /var/lib/dpkg/info/ && apt install --reinstall $(grep -l 'setcap' * | sed -e 's/\.[^.]*$//g' | sort --unique)
 
Yep, have the same issue, Tom's one-liner is a brilliant and fast fix. Thanks!
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!